Sudo? Visudo? Sudoers? Help!
This is a brief tutorial about sudo, the must-have program that's configured and installed on numerous systems. It's available from here for free (although feel free to donate to Todd Miller if you like it).
Everything below is easily found in the README as well as online from other sites. This is by no way my own contribution to the abilities of sudo, documentation, or otherwise, just a contribution to get those that aren't familiar with it going on it.
Get the software:
Go to the above site, download the source to your linux/unix box.
# tar zxvf name_of_sudo_tarfile.tar.gz
# cd <directory created here by sudo, something like sudo-1.6.3p7>
(bunch of stuff here)
(bunch of stuff here)
# make install
(installs into /usr/local/bin, /etc, /usr/local/sbin)
Now that that's done, you'll have some new executables to play with. The first one is visudo, the second is sudo. They are defined as below:
visudo - the *only* program you should run as root to edit the sudoers file (/etc/sudoers usually). This creates a temp file much like vipw does for /etc/passwd and upon saving and exiting, it'll write the new one to where the current sudoers is installed.
sudo - this is the main sudo command, allowing said user to execute a command or certain commands as root with permissions given out by what's in the sudoers file.
sudoers - this is the only file that sudo reads from. Permissions on this file should be 0400 and owned/group-owned by root only. Nobody should see who has access to root privileges because that shows who's got what for privileges and hack attempts against said accounts could happen.
Users and commands:
Below is a setup showing what a sample file might look like.
root ALL = (ALL) ALL
user4 ALL = (ALL) ALL
SU_Users ALL = (ALL) SU_CMD
MISC_Users ALL = (ALL) MISC_CMD
What this means is that root can run sudo as anyone. On some setups, root isn't allowed to run sudo. This is for various security reasons. User4 is also allowed to run sudo as anyone else (similar to su username -c) and run anything as root. SU_Users (user1) can only use sudo to run su (good for giving certain people like sysadmins the ability to su to root), whereas MISC_Users (user2 and user3) can only use sudo to run commands that are absolute-path (so they can't create their own foo/bar and run it as root, hehe).
What does this mean for me?
Get good with sudo and configuration files and you'll be able to lock down who can do what. Add in Matty_Cross' help with the suid bit on su and you can secure your access through su to root by sudo. This allows you to give out "root access" without having to give up root passwords which have to be changed every time someone leaves, etc etc. Add in that it logs to syslog (or whatever file your machine logs to) and you can track every user and every command run with failed attempts going to the console and also to email recipients (set up upon configure time). No ports are needed open (unless your emails go outside the box or to somewhere else).
Hope this is useful to someone in their attempts to make sudo part of their security scheme.