Sudo – An Advanced Howto

Section 1.0 Description

This document is an advanced outline the sudoers file and how it can be manipulated to your needs. There are many more options than are outlined here, but this will give you a strong understanding for further configuration options available.

Section 1.1 sudo command : Definition

The sudo command is basically a command that allows one user to execute a command as another user. It is commonly used to allow basic users to execute commands usually reserved to the root user (administrators), such as the kill, mount, adduser commands.

One thing that sometimes confuses basic users is the password you are prompted for : Which password is it? is it the root password?

No, (actually it NEVER ask you for the root password, that would not make any sense) But as stated in the definition section above, the sudo command allows one user to execute a command as another user. This means that the password you are actually prompted for is the “other users” password, who could literally be any user on the system.

Section 1.2 sudoers file : Definition

The sudoers file /etc/sudoers by default, (another file may be specified) is the “List of who can run what”. The file is basically built over 2 types of data:

1. Aliases : Aliases are variables that store multiples entries that fit the same domain (users, hosts, commands).
   There are 4 types of Aliases:

1. User_Alias
2. Runas_Alias
3. Host_Alias
4. Cmnd_Alias

• Users specifications : This is where all information is compiled into an effective one-liner.

Section 1.3 sudo : Usage

The sudo command itself is quite simple. Its basic syntax is:

Syntax: sudo command
Example: sudo yum update

To this basic syntax you may add some stuff to:

• Check whether or not you are in the sudoers file and what are the forbidden/allowed commands for you or another user with a “-U” option : sudo -l or sudo -ll (for a long list format)  or sudo -l -U
  Matching Defaults entries </code><code class="bash keyword">for</code> <code class="bash plain">pier on this host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User pier may run the following commands on this host: (root) /sbin/mount /mnt/cdrom, (root) /mnt/cdrom, (root) /bin/rpm, /usr/bin/up2date, /usr/bin/yum</code></li>

  1 2 3 4 5 6 7 8 9 10

  Matching Defaults entries </code><code class="bash keyword">for</code> <code class="bash plain">pier on this host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin   User pier may run the following commands on this host: (root) /sbin/mount /mnt/cdrom, (root) /mnt/cdrom, (root) /bin/rpm, /usr/bin/up2date, /usr/bin/yum</code></li>

• Launch the command as the user >user< : sudo -u ;
• Launch a login shell (and therefore load all environment from .profile .login etc…) : sudo -i
• Use of a  non-interactive shell, this means no password will be asked or if a password is required for the command, then exit with an error : sudo -n
• Use and set a custom password prompt : sudo -p [%H %h %p ...]

Section 1.4 visudo : The tool

When working on the sudoers file, you should use the only tool (that is actually made for this specific usage) visudo.

This great tool can help by checking the sudoers file syntax (syntax error, unused Aliases …). To do this you can either run a sudo -c, this would print something like :

or the syntax will also be checked when exiting the sudoers file edition mode, in this case it will ask you what to do if any errors were found, this looks like:

This is why visudo is such a great tool for editing the sudoers file.

Note : Discover more of this tool with the classic man visudo.

Section 2.0 sudoers : Basics

This one is the important part you need to understand in order to get basic control of the sudoers process on a Linux system.

Note : Some Sudoers file descriptions use EBNF/BNF notation (see http://www.garshol.priv.no/download/text/bnf.html for a comprehensive explanation), although it can looks a bit hard to get into it, it is definitely useful once you understand it. If you have some time to spare try it!

Section 2.1 First step in

When you first open the sudoers file the only not-commented line is :

root ALL=(ALL)  ALL

Let’s use this to explain the basic of the sudoers syntax. We can see that there are 4 fields as :

1. root : This is the user(s) to whom the following “items” applies
2. ALL : This is the place(s) where the “sudo command” can be launched
3. (ALL) : This is the part that specify which user(s) you may act as.
4. ALL : This is the command(s) that may be ran using the sudo command

This can be literally said as: The user root (1) can execute ALL commands (4) as ALL users (3) from ALL places (2).

Note : The numbers in parenthesis are references to the above numbered list, to ease the understanding.

Section 2.2 Basic syntax

The basic syntax of the sudoers file could be described as :

USER PLACES=(AS_USER) [NOPASSWD:] COMMAND

• USER can be any : existing user(s) , user ID, User_Alias
• PLACES can be any combinations of : hostname, domain_name, IP addresses, wildcards
  
• (AS_USER) can be any :  existing user(s) , user ID, Runas_Alias
• COMMAND can be any : existing command(s), COMMAND_ALIASES
• [NOPASSWD:] is use to specify that the following commands can be run WITHOUT being prompted for a password ! (quite dangerous : use at your own risk)

Note : For more details about extended syntaxes and functionalities (ALIASES) see the Advanced Sudoers Syntax section below.

Section 2.3 Basic examples

Here are some basic examples that may help you understand the basics of the sudoers file.

Note : It is usually more convenient and powerful to use advanced features.

1. Allow the user pier to run ALL commands from anywhere as root:

   pier   ALL=(ALL)       ALL

2. Same as above but without any password prompt (!)

   pier   ALL=(ALL)      NOPASSWD: ALL

3. Allow the user paul to run yum, mount and ifconfig commands from anywhere as root:

   paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig

4. You may also specify some commands to be run with a password and some “password-free” on one line, in the below example we allow paul to run only the parted command without any password prompt :

   paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig, NOPASSWD: /sbin/parted

Section 3.0 sudoers : Advanced

This is where you will learn the best of the sudoers file, you will find here some extended possibilities of this file.

Section 3.1 Aliases

After what we have seen in the the Basic syntax section above, let us have a deeper look to what this file has to offer to a sysadmin.

In the following syntax :

USER PLACES=(AS) COMMAND

We may use some Aliases to gain more control and flexibility, the possibles ALIASES are :

• User_Alias
• Cmnd_Alias
• Host_Alias
• Runas_Alias

 Note : ALIASES must be a combination of UPPERCASE letter and UNDERSCORES starting with an UPPERCASE letter.

Section 3.2 Generalities about Aliases

You may find it interesting to know that there are special characters available from sudoers syntax:

– “!” allows you to negate the following item, as in this example this means the users that are in USERS group but not in WEBMASTERS group :

User_Alias LIMITED_USERS = USERS, !WEBMASTERS

– “*” The wildcard may be used as in shell expansion (not like in REGEXP !), check the man sudoers for detailed information about its use.

Section 3.3 User_Alias

A User_Alias is a kind of custom group that is only used within this sudoers file. As stated in the sudoers file itself : These aren’t often necessary, as you can use regular groups.

• Sudoers groups

  User_Alias USERS = tom, dick, harry

• System groups
  When using “system group” (group that belongs to the OS) you should use them preceded by a percent sign (%):

  User_Alias ADMINS = %admin

• Network group
  When using a “network group” use a plus sign instead (+) of the percent, as:

  User_Alias NET_USERS = jim, john, dick +netgroup

• Exclusion
  It is also possible to exclude a given ALIAS from another ALIAS, as in the following example, the LIMITED_USERS groups will contains any users that are in the USERS alias BUT NOT in ADMINS OR in NET_USERS:

  User_Alias LIMITED_USERS = NET_USERS, !WEBMASTERS, !ADMINS

Note : You can still specify your own User_Alias if you feel the need to, as:

User_Alias ALIAS = username1, username2

Where :

• User_Alias is a keyword
• ALIAS is the name of your User_Alias (the one you will use later in the sudoers file)
• username is the user’s name, uid (prefixed by a #), other Aliases you want to add to the User_Alias ALIAS. Multiple usernames are to be comma separated.

Section 3.4 Cmnd_Alias

A Cmnd_Alias is a group of (usually) related commands. You can find the most common Cmnd_Alias within the sudoers file itself, sorted by domains (networking, software installation …)
Note : You can also specify your own Cmnd_Alias as :

Cmnd_Alias ALIAS = /path/to/command1, /path/to/command2, /path/to/command3

Where :

• Cmnd_Alias is a keyword
• ALIAS is the name of your Cmnd_Alias (the one you will use later in the sudoers file)
• /path/to/command is(are) the path(s) to the command(s) you want to add to the Cmnd_Alias ALIAS. Multiple commands are to be comma separated.

Examples :

Cmnd_Alias ALIAS1 = /path/to/command1, /path/to/command2, /path/to/*.bash
Cmnd_Alias ALIAS2 = /path/to/command1, ALIAS1

Section 3.5 Host_Alias

A Host_Alias is just like any other alias : it is used to group multiple hosts within a single object. Valid hosts are : host names, IP addresses, network numbers, netgroups (prefixed with ‘+’) and other aliases.

Examples :

Host_Alias WEB_HOST = www, 192.168.1.1, *.sub.example.com

Section 3.6 Runas_Alias

Runas_Aliases may be used to put different groups with different privileges together. As for User_Alias it may contains : username, system group (prefixed with a %), netgroup (prefixed with a +) and even uid (prefixed with a #).

Note : group are match as string : group with same gid but different names are seen as different object here.

Section 4.0 Advanced examples

Here are some advanced examples that may help you in a “sysadmin” context.

We may want to create our own aliases prior to create a useful and secure sudoers file, the following ALIASES are for the examples purposes but may also be useful in a “real life” context.

• Custom ALIASES

  Cmnd_Alias SIMULATOR_COMMANDS = /usr/bin/command1, /usr/bin/command2
User_Alias SIMULATOR_USER = pdurand, pdupond, jpdupont

Examples:

1. Allow all users from system group SIMULATOR_USER to run commands from SIMULATOR_COMMANDS from the 192.168.56.88 as peter:

   SIMULATOR_USER   192.168.56.88 = (peter)       SIMULATOR_COMMANDS

2. Allow the user paul to run yum, mount and ifconfig commands from anywhere as root:

   paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig