The power of sudo.

[instronics]

A little bit of Superuser with sudo >:-)

Once in while its necessary to give a normal user permission to execute a root command. This must be possible in a way without giving that user any root privileges to root files, nor to change the ownership or permissions of certain files or commands. This is where sudo comes in. Sudo is able to let normal users execute root commands or applications which root specifically allows. Imagine that, you the admin, wants to go away for a week, a holiday or whatever, and your company gets a new user. Since only root has the ability to add new users to the system, someone with root privileges has to be here. If your the only root user on these systems, then that might become a problem. With sudo you can specify a user to use the useradd command only. In my case i use sudo for permissions of rebooting or shutting down the systems if i am not here. On my systems only root can reboot or shutdown the systems, so i have given a sudo privilege for the reboot and shutdown commands.

In order to do all this, i would use the command “sudo”. ie.

instronics@server1:~ sudo /sbin/shutdown -h now

this allows me, (user instronics) to shutdown the computer. Note that user instronics is not root.

Once you enter this:

instronics@server1:~ sudo /sbin/shutdown -h now

you get the message on your screen:

We trust you have received the usual lecture from the local system administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:


Sudo in this case does not expect the root password, but the password of the user which uses the sudo command (in this case instronic's password).

The administrator can specifically define which commands the user can use and which not. The configuration file for sudo is located in /etc/sudoers. To edit this file, you MUST use the script: visudo
Do NOT just edit the file with an editor. Visudo will start the sudoers script using the basic vi editor. If you do not know what vi is and how to use it, then sudo is not for you. You can also find more documentation on sudo by doing a : man 5 sudoers.

Let us take a look at the configuration file itself, and what we can set in it. The general syntax used in this file is: user/group host = command 1, command 2 .....etc.

example:

instronics All = /sbin/shutdown,/sbin/reboot
^user^ ^host^ ^commands^

(note that the second line is only a guideline provided by me, its not in the actual file.)

So, this entry allows the user instronics on all hosts to execute the commands shutdown and reboot.

A more complex example could be like follows.

##########################################
User_Alias ADMINS = instronics,bill
User_Alias WEBMASTER = john,willy
User_Alias SUBSTITUTE = peter,richard

# Cmnd alias specification

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /sbin/shutdown
Cmnd_Alias APACHE = /etc/init.d/apache


# User privilege specification

root ALL=(ALL) ALL
ADMINS ALL = APACHE, SHUTDOWN
SUBSTITUTE ALL = PRINTING
###########################################

Let me make these settings a bit more clear.

The first 3 entries (User_Alias) we put certain users into categories.
The users in the group/category ADMINS are instronics and bill.
The users in the group/category WEBMASTER are john and willy.
The users in the group/category SUBSTITUTE are peter and richard.

So if i now use the term WEBMASTER for example, then only the uses added into that group are valid.

The next 3 lines (Cmnd_Alias) are the categories of what they may do.
The alias for PRINTING means that only the specified paths to the application can be used by this category, in this case its /usr/sbin/lpc,/usr/bin/lprm
and so one.

Now the last entries are the actual valid sudo entries.
Root is allowed everything on everywhere.
ADMINS (instronics and bill) are allowed to run APACHE and SHUTDOWN on all hosts. The SUBSTITUTE is allowed to print on all hosts.

This is still a very simple and basic sudoers file. It can get a bit more tricky. For example, when it comes to the useradd command. Or the passwd command. How can we make sure that the sudo user does not just passwd root, changing the root password. Hehehehehe

There are ways around this too. Let us actually take a look at an older sudoers file which i had on my older computer some time ago.


instronics@tux:~ su
Password:

tux:~# visudo

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

#Host alias specification

#User alias specification

User_Alias ADMINS = instronics,merlin
User_Alias COADMINS = nikos,b0x

#Cmnd alias specification

Cmnd_Alias PASS = /usr/bin/passwd
Cmnd_Alias IRCD = /sbin/ircd,/sbin/services
Cmnd_Alias REBOOT = /sbin/reboot
Cmnd_Alias IFCONFIG = /sbin/ifconfig
Cmnd_Alias READLOG = /usr/bin/tail

#User privileges specification

root ALL=(ALL) ALL

ADMINS tux = READLOG, IRCD, REBOOT, IFCONFIG
COADMINS tux = READLOG, IRCD
b0x tux = READLOG, REBOOT
instronics all = PASS: ALL, !/usr/bin/passwd, /usr/bin/passwd
[A-z]*, !/usr/bin/passwd root

#EOF

Now this may look a bit complicated, but in reality its really very simple. Let me start at the very top, and explain exactly what all this means.

The user alias ADMINS are myself and my brother.
The user alias COADMINS us a friend of mine, and another user of mine.

The command alias PASS is for the users who are allowed to use the passwd command.
The command alias IRCD is for the users who are allowed to start the ircD and its services.
The command alias REBOOT is for the users who are allowed to reboot the computer.
The command alias IFCONFIG is for the users who are allowed to mess with my network settings.
The command alias READLOG is for the users who are allowed to tail my /var/log/messages.

Root means that the user root can do anything on anywhere. Root is truly god

The ADMINS are allowed to tail the log files, start the ircD with its services, reboot the machine and edit my network configurations only on the host tux.

The COADMINS are allowed to read my log files and start the ircD with its services only on the host tux.

User b0x is allowed to read the log files and to reboot the computer only on the host tux.

User instronics is allowed to use the passwd command on all hosts, with the limitation of not being able to change roots password. The '!' in front of /usr/bin/passwd root, so basicly !/usr/bin/passwd root is excluded from instronic's permission to use the passwd command. The [A-z]* means that the passwd cannot be used for a user whose name consists of symbols. (The use of symbols within the password itself is still ok though).

So once you are done with this file, test it by typing in:

instronics@tux:~ sudo tail -f /var/log/messages

You will then be prompted for your user password and voila, you are tailing your log files as a normal use.

I strongly recommend that you create a test user and experiment a bit with this before actually giving away sudo privileges to other users. This tool is a very important tool in my everyday life, allowing me to execute root commands as a normal user. I hope this helps you a lot.

Once again let me point out that this is a part of my linux distribution (SuSE Linux), and im not aware if this is on any other distributions. Im sure you can get it and make it work on other *nix platforms, since it uses the standard *nix OS type.

Cheers everyone.

[Dhej]

sudo is a wonderful command.

And for all of you that ask why should one take the time to learn vi, well here you have it, that and vipw.

I have always been wondering when a tutorial on sudo would go up...

I would strongly recommend making it a policy not to use su and instead using sudo. When a user runs a command through sudo, it is logged, you know exactly who ran what, so that if they were doing admin stuff and something went wrong and you didn't know which admin to bust on, bingo.

Not to mention that if someone then uses su, it is a sign that something is fishy.

Bewarned though, sudo is only as secure as the programs that you give the users access to. If you give them access to a program that can easily get broken out of into a shell, or one that give you access to run other files, then you are screwed.

MacOS X users should pay special note. If you want to have true power over your system, yet don't want to enable root access (which is advisable), then go into your terminal and learn your *nix commands. Your admin account automagically has all perms via sudo, so any command you could ever need to use you can run. And it you don't want to use you admin account for everyday use (also recommended), then just give your user account sudo permissions to the programs you need, or to ALL.

Good tut, instronics.

Be of good cheer,
Dhej

[instronics]

Great addon there you posted Dhej, thanks for your support.

Cheers