Home > HowTo, Linux > sudoers howto

sudoers howto

March 24th, 2009 Leave a comment Go to comments

How to Sudoers

Syntax: usernames/group servername = (usernames command can be run as) command

There are some general guidelines when editing this file:

  • Groups are the same as user groups and are differentiated from regular users by a % at the beginning. The Linux user group “users” would be represented by %users.
  • You can have multiple usernames per line separated by commas.
  • Multiple commands also can be separated by commas. Spaces are considered part of the command.
  • The keyword ALL can mean all usernames, groups, commands and servers.
  • If you run out of space on a line, you can end it with a back slash () and continue on the next line.
  • sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it in the servername position in Table 9-1. In most cases, the file is used by only one server and the keyword ALL suffices for the server name.
  • The NOPASSWD keyword provides access without prompting for your password.

# vim /etc/sudoers
Allow <username> to mount,reboot and shutdown the pc without asking password
<username>     ALL=(ALL) NOPASSWD:/bin/mount,/sbin/reboot,/sbin/shutdown
Allow <username> to kill processess
<username> ALL=(<group>) /bin/kill, /usr/bin/kill, /usr/bin/pkil

Define some command alias:
Cmnd_Alias    SHELLS = /usr/bin/sh,  /usr/bin/csh,
/usr/bin/ksh, /usr/local/bin/tcsh,
/usr/bin/rsh, /usr/local/bin/zsh

User alias, if no group exists:
User_Alias    ADMINS = peter, bob, bunny, %operator

Disallow ADMINS to run the predefined SHELLS commands:
ADMINS        ALL    = !/usr/bin/su, !SHELLS

Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.
#sudo -u <userx> pkill apache2
I use run a sudo command that allows me to be login interactive as root
# sudo -i

Syslog To Track All sudo Commands

All sudo commands are logged in the log file /var/log/messages which can be very helpful in determining how user error may have contributed to a problem. All the sudo log entries have the word sudo in them, so you can easily get a thread of commands used by using the grep command to selectively filter the output accordingly.

Here is sample output from a user bob failing to enter their correct sudo password when issuing a command, immediately followed by the successful execution of the command /bin/more sudoers.

# grep sudo /var/log/messages
or to see it in real time:
# tail -f /var/log/messages

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers
file.  The real and effective uid and gid are set to match those of the target user as specified in the passwd
file and the group vector is initialized based on the group file (unless the -P option was specified).  If the
invoking user is root or if the target user is the same as the invoking user, no password is required.  Other?
wise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configu?
ration this is the user’s password, not the root password).  Once a user has been authenticated, a timestamp is
updated and the user may then use sudo without a password for a short period of time (15 minutes unless overrid?
den in sudoers).

When invoked as sudoedit, the -e option (described below), is implied.

sudo determines who is an authorized user by consulting the file /etc/sudoers.  By giving sudo the -v flag, a
user can update the time stamp without running a command. The password prompt itself will also time out if the
user’s password is not entered within 0 minutes (unless overridden via sudoers).

If a user who is not listed in the sudoers file tries to run a command via sudo, mail is sent to the proper
authorities, as defined at configure time or in the sudoers file (defaults to root).  Note that the mail will not
be sent if an unauthorized user tries to run sudo with the -l or -v flags.  This allows users to determine for
themselves whether or not they are allowed to use sudo.

If sudo is run by root and the SUDO_USER environment variable is set, sudo will use this value to determine who
the actual user is.  This can be used by a user to log commands through sudo even when a root shell has been
invoked.  It also allows the -e flag to remain useful even when being run via a sudo-run script or program.  Note
however, that the sudoers lookup is still done for root, not the user specified by SUDO_USER.

sudo can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both.  By
default sudo will log via syslog(3) but this is changeable at configure time or via the sudoers file.

To list the home directory of user yazza on a machine where the file system holding ~yazza is not exported as
$ sudo -u yazza ls ~yazza
To edit the index.html file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To shutdown a machine:
$ sudo shutdown -r +15 “quick reboot”
To make a usage listing of the directories in the /home partition.  Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
$ sudo sh -c “cd /home ; du -s * ? sort -rn > USAGE”

Categories: HowTo, Linux Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.