Sudo OverView

   Sudo An Overview

File : /etc/sudoers
Cmd  :  visudo

sudo allows a permitted user to execute a command as the superuser.

The sudo utility enables the users mentioned in configuration file sudoers to have temporary access to run certain commands as the “root” or any other user.

Whenever sudo command is executed by a user, it reads the sudoers file to check whether the user is permitted to run this command.

To edit the sudo parameters in sudoers file, command visudo should only be used due to the following reasons:

• Sudoers file might not have the same location on all versions of Linux.

• Visudo checks the syntax in sudoers file after saving it and will prompt for errors.

• It gives the option to reject the changes or re-edit the file

• It prevents two users from editing the file at the same time

The visudo command should be run as root
# visudo

 Syntax For sudo in sudoers file

General sudoers file record format: 

user   MACHINE=COMMANDS

user/group hostname = (runasuser) command(s)

root    ALL=(ALL)       ALL

Here,
• user/group is the name of the user or group for which sudo privileges are defined.

• hostname is a list of terminals from where user can use sudo.

• runasuser is the name of user which the sudo user is trying to act as, and must be enclosed in ( ).

• Command(s) is a list of commands that this user can execute. Complete path of the command must be specified.

# visudo

root ALL=(ALL) ALL ---- instead of root user we are adding a
   normal user to run this below command in his terminal.

jeff ALL=/etc/httpd reload

User jeff can reload httpd from any terminal

# sudo /etc/init.d/httpd reload
sudo] password for jeffin:
Reloading httpd:

We can also create aliases for:
• users/groups: User_Alias 
• run comands as other users: Runas_Alias
• hostname: Host_Alias
• command: Cmnd_Alias

Eg:
User_Alias USER = user1, user2
Runas_Alias PRIVUSER = root, jeff
Host_Alias SEGMENT = 192.168.1.0/24
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

Check the following example for Aliasing. For a particular user to run particular commands.

1. create a user alias
## User Aliases
User_Alias ADMINS = jeffin

2. Create a command alias
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk -l

3. Now add those into user privilage specifications,

ADMINS All=STORAGE

if we give like below one, it will through as an error,

jeffin ALL=STORAGE
user/group hostname = (runasuser) command(s)

ERROR: # visudo
visudo: Warning: Runas_Alias `ADMINS' referenced but not defined
visudo: Warning: unused User_Alias ADMINS

insted of the user name give User_Alias name here

Solution: jeffin ALL=STORAGE this is wrong as we mentioned User_Alias above. So re-wright it as,

ADMINS ALL=STORAGE

ADMINS ALL=NOPASSWD:STORAGE  ----------> If we give NOPASSWD we can run our commands without using our password, or else it will ask for your password.

Here ADMINS and STORAGE are user alias

4. From user side you can check for what all commands you have the permission to run. First switch as that user and use the below command,

$ sudo -l
User jeffin may run the following commands on this host:
    (root) /etc/init.d/httpd reload
    (root) /sbin/fdisk -l

5. switch as that user and run that command ( fdisk -l) to show the result. make sure you run this with sudo

# sudo /sbin/fdisk -l

Disk /dev/sda: 33.3 GB, 33285996544 bytes
255 heads, 63 sectors/track, 4046 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000ac2fa

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          39      307200   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              39         557     4161536   82  Linux swap / Solaris
Partition 2 does not end on cylinder boundary.
/dev/sda3             557        4047    28036096   83  Linux


Remember this:
• The runasuser token is optional and defaults to root if not included.

• Groups are specified in sudoers file by prefixing the group name with %.

• There can be multiple usernames in a line separated by commas.

• Multiple commands should also be separated by commas. Spaces are considered a part of the command.

• The name of alias should be in capital letters; otherwise it would give a syntax error. 

• If the space in a line gets over, we can put a back slash (\) and continue on the next line.

• While running a sudo command, the user will be prompted for its own password, not the password of the user it is trying to act as.

 Giving privileges for a group

1. Create a group jeep

# groupadd jeep

2. Create and add users into that group

# useradd -g jeep jeff
# useradd -g jeep jomy

3. ## Allows people in group jeep to run commands specified in the cmd-alias STORAGE

%jeep ALL=STORAGE

Here STORAGE is user alias

4. Switch as that user and run

# sudo -l
# sudo /sbin/fdisk -l

 How to gain root privileges for a normal user

By using su - command, a user can login as root after entering root’s password.

But by specifying root privileges for a user in sudoers, it doesn't need to know root password to login as root for that session.

 -- 'su' Substitute User

# su -
# su - root
$ su - root -c "ls -l /root"

 To use a privilege of another user

# sudo -u <user to run command as> <command>

If you want to give privilages for another user give that user name in ()

jeffin ALL=(jeff) /etc/init.d/httpd reload

That says that user jeffin can (using "sudo -u ") run commands as jeff.

[jeffin@localhost ~]$ sudo -u jeff /etc/init.d/httpd reload

 LogFile

By default, sudo messages are sent to syslog.

so all commands run as sudo are logged in /var/log/messages. We can create a separate sudo log file by entering the below line in sudoers file:

# visudo

#Specify default log file location

Defaults logfile=/var/log/sudolog

 Granting Access for user and group together

#granting all access to specific users and groups, separated by commas,

jeffin,%jeep ALL=/etc/init.d/httpd reload

OR

jeffin,%jeep ALL=STORAGE

(STORAGE=/etc/init.d/httpd reload)

Make sure group %jeep is mentioned only in one line. Either where we mentioned group or user.

 Granting access to users for specific files or Dir

This following entry allows user jeff to gain access to all the program files in the /sbin and /usr/sbin directories, 
along with the privilege of running the command /usr/local/src/script.sh:

jeff ALL= /sbin/, /usr/sbin, /user/local/apache/bin/run.sh 

How to Start and stop daemons via sudo

Problem: you want specific non-superusers to start and stop system daemons
 
Solution: Here we let four our different users to start,stop, and restart web servers. The script for doing so is /etc/init.d/httpd

/etc/sudoers:
User_Alias FOLKS=barbara, l33t, jimmy, miroslav

Cmnd_Alias DAEMONS=/etc/init.d/httpd start, /etc/init.d/httpd stop, /etc/init.d/httpd restart

FOLKS ALL = (ALL) DAEMONS

How to Authorize Password changes via sudo

Problem: you want to permit a user to change the passwords of certain other users.
 
Solution: To permit smith to change the passwords of jones, chu, anf agarwal:

/etc/sudoers:
smith ALL = NOPASSWD: /usr/bin/passwd jones, /usr/bin/passwd chu, /usr/bin/passwd agarwal 

The NOPASSWD tag is optional.

How to Permitting read-only access to a shared file via sudo

Problem: Two or more users want to share a file, some read/write and others read-only.
 
Solution: Create two linux groups, one for read/write and one for read-only users:

/etc/group:
readers:x:300:r1,r2,r3,r4
writers:x:301:w1,w2,w3
 
Permit the writers group to write the file via group permissions:

# chmod 660 shared_file
# chgrp writers shared_file
 
Permit the readers group to read the file via sudo:

/etc/sudoers:
%readers ALL = (w1) /bin/cat /path/to/shared_file

Note: If a file must be writable by a group of teaching assistants but read-only to a group of students. if there were only two users-one reader and one writer - you could dispense with groups and simply let the reader access the file via sudo.

if smith is the reader and jones the writer, and we give smith the following capability:

/etc/sudoers:
smith ALL = (jones) NOPASSWD: /bin/cat /home/jones/private.stuff

then jones can protect her file:

jones$ chmod 600 $HOME/private.stuff

and smith can view it:

smith$ sudo -u jones cat /home/jones/private.stuff

How to Prohibiting Command-line arguments with sudo

Problem: ou want to permit a command to be run via sudo, but only without command-line arguments.

Solution: Follow the pgm name with the single argument :: in /etc/sudoers:

/etc/sudoers:
smith ALL = (root) /usr/local/bin/mycommand ""

smith$ sudo -u root mycommand a b c  ----   Rejected
smith$ sudo -u root mycommand    ----     Authorized

NOTE:
if you specify no arguments to a command in /etc/sudoers, then by default any arguments are permitted.

/etc/sudoers:
smith ALL = (root) /usr/local/bin/mycommand

smith$ sudo -u root mycommand a b c  ----- Authorized
Use "" to prevent any runtime arguments from being authorized.

 

How to run any program in a directory via sudo

Problem: Authorize a user to run all programs in a given directory, but only those programs, as another user.

Solution: Specify a fully-qualified directory name instead of a command, ending it with a slash

/etc/sudoers:
smith ALL = (root) /usr/local/bin/

smith$ sudo -u root /usr/local/bin/mycommand   Authorized
smith$ sudo -u root /usr/bin/emacs             Rejected

This authorization does not descend into subdirectories
smith$ sudo -u root /usr/local/bin/gnu/emacs    Rejected

How to Grant privileges to a group via sudo

Problem: Let a set of users run commands as another user,

Solution: Define a linux group containing those users,

/etc/group:
mygroup:x:1200:joe,jane,hiram,krishna

then create a sudo rule with the %groupname syntax:

/etc/sudoers:
# let the group run a particular program
%mygroup ALL = (root) /usr/local/bin/mycommand arg1 arg2
# give full superuser privilages to the group
%mygroup ALL = (ALL) ALL

How to Authorize per host machines in sudo

Problem: You want to allow a user authorization privileges only on certain machines

Solution: First, define a list of machines:

/etc/sudoers
Host_Alias SAFE_HOSTS = banana, cherry, grapes

Let smith run a program as jones on these machines:
# smith SAFE_HOSTS = (jones) /usr/local/bin/mycommand

Let smith run all programs as jones on these machines:
# smith SAFE_HOSTS = (jones) ALL

How to Bypass Password Authentication using sudo

Problem: You want one user to run a command as another user without supplying a password

Solution: Use sudo's NOPASSWD tag, which indicates to sudo that no password is needed for authentication.

/etc/sudoers
smith ALL = (jones) NOPASSWD: /usr/local/bin/mycommand args
smith ALL = (root) NOPASSWD: /usr/local/bin/my_script "" 

Password-less authentication is particularly useful for batch jobs.

How to Run commands as another user via sudo

Problem: You want one user to run commands as another, without sharing passwords

Solution: Suppose you want user smith to be able to run a given command as user jones.

/etc/sudoers
smith ALL = (jones) /usr/local/bin/mycommand

user smith
smith$ sudo -u jones /usr/local/bin/mycommand
smith$ sudo -u jones mycommand --- if /usr/local/bin/ is in $PATH

user smith will be prompted for his own password, not jones's. The ALL keyword, which matches anything, in this case specifies that the line is valid on any host.

How to enable sudo for normmal users

Sudo is a standard way to give users some administrative rights without giving out the root password. Sudo is very useful in a multi user environment with a mix of server and workstations. Simply call the command with sudo:

# sudo /etc/init.d/dhcpd restart     # Run the rc script as root
# sudo -u sysadmin whoami               # Run cmd as an other user

Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is (the lists are comma separated):

user hosts = (runas) commands  # In /etc/sudoers

users one or more users or %group (like %wheel) to gain the rights
hosts list of hosts (or ALL)
runas list of users (or ALL) that the rule can be run as and enclosed in ( )!
commands list of commands (or ALL) that will be run as root or as (runas)

Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias. 

# cat /etc/sudoers
# Host aliases are subnets or hostnames.
  Host_Alias DMZ = 212.118.81.40/28
  Host_Alias DESKTOP = work1, work2

# User aliases are a list of users which can have the same rights
User_Alias ADMINS = colin, luca, admin
User_Alias DEVEL  = joe, jack, julia
Runas_Alias DBA   = oracle,pgsql

# Command aliases define the full path of a list of commands

Cmnd_Alias  SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/

Cmnd_Alias  PW      = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!

Cmnd_Alias  DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap

# The actual rules
root,ADMINS ALL = (ALL) NOPASSWD: ALL  # ADMINS can do anything w/o a password.
DEVEL  DESKTOP = (ALL) NOPASSWD: ALL  # Developers have full right on desktops
DEVEL DMZ =(ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers.

# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ.
%dba  ALL = (DBA) ALL # Group dba can run as database user

# anyone can mount/unmount a cd-rom on the desktop machines
 ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom