Sudo An Overview
File : /etc/sudoers
Cmd : visudo
sudo allows a permitted user to execute a command as the superuser.
The sudo utility enables the users mentioned in configuration file sudoers to have temporary access to run certain commands as the “root” or any other user.
Whenever sudo command is executed by a user, it reads the sudoers file to check whether the user is permitted to run this command.
To edit the sudo parameters in sudoers file, command visudo should only be used due to the following reasons:
• Sudoers file might not have the same location on all versions of Linux.
• Visudo checks the syntax in sudoers file after saving it and will prompt for errors.
• It gives the option to reject the changes or re-edit the file
• It prevents two users from editing the file at the same time
The visudo command should be run as root
# visudo
Syntax For sudo in sudoers file
General sudoers file record format:
user MACHINE=COMMANDS
user/group hostname = (runasuser) command(s)
root ALL=(ALL) ALL
Here,
• user/group is the name of the user or group for which sudo privileges are defined.
• hostname is a list of terminals from where user can use sudo.
• runasuser is the name of user which the sudo user is trying to act as, and must be enclosed in ( ).
• Command(s) is a list of commands that this user can execute. Complete path of the command must be specified.
# visudo
root ALL=(ALL) ALL ---- instead of root user we are adding a
normal user to run this below command in his terminal.
jeff ALL=/etc/httpd reload
User jeff can reload httpd from any terminal
# sudo /etc/init.d/httpd reload
sudo] password for jeffin:
Reloading httpd:
We can also create aliases for:
• users/groups: User_Alias
• run comands as other users: Runas_Alias
• hostname: Host_Alias
• command: Cmnd_Alias
Eg:
User_Alias USER = user1, user2
Runas_Alias PRIVUSER = root, jeff
Host_Alias SEGMENT = 192.168.1.0/24
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
Check the following example for Aliasing. For a particular user to run particular commands.
1. create a user alias
## User Aliases
User_Alias ADMINS = jeffin
2. Create a command alias
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk -l
3. Now add those into user privilage specifications,
ADMINS All=STORAGE
if we give like below one, it will through as an error,
jeffin ALL=STORAGE
user/group hostname = (runasuser) command(s)
ERROR: # visudo
visudo: Warning: Runas_Alias `ADMINS' referenced but not defined
visudo: Warning: unused User_Alias ADMINS
insted of the user name give User_Alias name here
Solution: jeffin ALL=STORAGE this is wrong as we mentioned User_Alias above. So re-wright it as,
ADMINS ALL=STORAGE
ADMINS ALL=NOPASSWD:STORAGE ----------> If we give NOPASSWD we can run our commands without using our password, or else it will ask for your password.
Here ADMINS and STORAGE are user alias
4. From user side you can check for what all commands you have the permission to run. First switch as that user and use the below command,
$ sudo -l
User jeffin may run the following commands on this host:
(root) /etc/init.d/httpd reload
(root) /sbin/fdisk -l
5. switch as that user and run that command ( fdisk -l) to show the result. make sure you run this with sudo
# sudo /sbin/fdisk -l
Disk /dev/sda: 33.3 GB, 33285996544 bytes
255 heads, 63 sectors/track, 4046 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000ac2fa
Device Boot Start End Blocks Id System
/dev/sda1 * 1 39 307200 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 39 557 4161536 82 Linux swap / Solaris
Partition 2 does not end on cylinder boundary.
/dev/sda3 557 4047 28036096 83 Linux
Remember this:
• The runasuser token is optional and defaults to root if not included.
• Groups are specified in sudoers file by prefixing the group name with %.
• There can be multiple usernames in a line separated by commas.
• Multiple commands should also be separated by commas. Spaces are considered a part of the command.
• The name of alias should be in capital letters; otherwise it would give a syntax error.
• If the space in a line gets over, we can put a back slash (\) and continue on the next line.
• While running a sudo command, the user will be prompted for its own password, not the password of the user it is trying to act as.
Giving privileges for a group
1. Create a group jeep
# groupadd jeep
2. Create and add users into that group
# useradd -g jeep jeff
# useradd -g jeep jomy
3. ## Allows people in group jeep to run commands specified in the cmd-alias STORAGE
%jeep ALL=STORAGE
Here STORAGE is user alias
4. Switch as that user and run
# sudo -l
# sudo /sbin/fdisk -l
How to gain root privileges for a normal user
By using su - command, a user can login as root after entering root’s password.
But by specifying root privileges for a user in sudoers, it doesn't need to know root password to login as root for that session.
-- 'su' Substitute User
# su -
# su - root
$ su - root -c "ls -l /root"
To use a privilege of another user
# sudo -u <user to run command as> <command>
If you want to give privilages for another user give that user name in ()
jeffin ALL=(jeff) /etc/init.d/httpd reload
That says that user jeffin can (using "sudo -u ") run commands as jeff.
[jeffin@localhost ~]$ sudo -u jeff /etc/init.d/httpd reload
LogFile
By default, sudo messages are sent to syslog.
so all commands run as sudo are logged in /var/log/messages. We can create a separate sudo log file by entering the below line in sudoers file:
# visudo
#Specify default log file location
Defaults logfile=/var/log/sudolog
Granting Access for user and group together
#granting all access to specific users and groups, separated by commas,
jeffin,%jeep ALL=/etc/init.d/httpd reload
OR
jeffin,%jeep ALL=STORAGE
(STORAGE=/etc/init.d/httpd reload)
Make sure group %jeep is mentioned only in one line. Either where we mentioned group or user.
Granting access to users for specific files or Dir
This following entry allows user jeff to gain access to all the program files in the /sbin and /usr/sbin directories,
along with the privilege of running the command /usr/local/src/script.sh:
jeff ALL= /sbin/, /usr/sbin, /user/local/apache/bin/run.sh