root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
The commands above state that “root” and users belonging to the wheel group can execute any command, in any host as any other user. The format of a sudo record should be:
user | group command = [host] alt_user
The 1st parameter (root & wheel) lists the users or groups (by name or UID/GID), from localhost or network (LDAP, NIS, NIS+) that the rule applies to. This list can be a mixture of comma-separated values:
Format Description Example
username user name john
#uid user ID #1004
%group group name %wheel
%#gid group ID %#923
+netgroup NIS group +admins
%:nounix_group external user (eg LDAP or AD) %:sysad
%:#nounix_gid external group %:#sysadmins
User alias previously specified alias ADMIN_GRP
The 2nd parameter (ALL before =) states the hosts to which the rule applies. It is set to ALL by default so that the sudoers configuration can be shared across multiple servers (e.g. we might have an rsync running every night overwritting sudoers across the state). If we want the rule to apply to just one or a few hosts, we can list them here. But care should be taken because of the limitations of sudo in this respect. For example, IP 127.0.0.1 or localhost won’t be understood. If we state a host explicitly, it is best to state the IP with netmask (e.g. 192.168.100.67/24) or the hostname with wildcards (nfsserver1*).
The 3rd parameter states the user or group the command can be run as and it can be split in two: username & group. For example:
%wheel ALL = (oracle:dba) ORACLE_HOME/bin/*
The command above would let all users in the wheel group run any binary in the ORACLE_HOME as user oracle or group dba. We can also state multiple users and groups…
%wheel ALL = (oracle, oinstall : dba, oinstall) ORACLE_HOME/bin/*
If we are a wheel user and then we need to execute a certain command as user oracle or group dba, we would do so as follows:
marc:~> sudo -u oracle $ORACLE_HOME/sqlplus / as sysdba
marc:~> sudo -g dba $ORACLE_HOME/sqlplus / as sysdba
The 4th parameter is the command or list of commands that can be run with the optional “NOPASSWD:” clause in front.
If some of the parameters are too long for comfortable reading or are repeated a few times, then we can use aliases. There are 4 types of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Some examples of aliasing can be found in the default /etc/sudoers:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
.
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
.
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :
SGI = grolsch, dandelion, black :
ALPHA = widget, thalamus, foobar :
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
.
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,/usr/sbin/restore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, /usr/bin/rsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
The options for customisation sudo offers are many so it’s best to check the man pages for sudo and /etc/sudoers and Google examples. But we shall close this overview with a few more examples.
The next command grants user marc permission to run the shutdown command from any machine on the local network without being prompted for a password.
marc 192.168.0.0/24 = (root) NOPASSWD : /sbin/shutdown -h now
The next command grants user peter the right to change password for any user other than root in the given network.
peter 192.168.0.0/24 = /usr/bin/passwd [AZaz09]+, !/usr/bin/passwd root
The next command grants users in the wheel group the right to run any command in the given B class network except for the hostname master1 and the subnet 192.168.100.0/24.
%wheel 192.168.0.0/16, !master1.bogomips.net, !192.168.100.0/24 = (ALL) ALL
All the changes above can be done running visudo (or directly editing /etc/sudoers), but in many cases it is advised to add any changes to files in /etc/sudoers.d rather than directly in the master sudo configuration file. For instance…
leap:/etc/sudoers.d # cat /etc/sudoers.d/01_custom
Defaults logfile=/var/log/sudo.log
Defaults log_input,log_output
Defaults lecture=never
Defaults passwd_tries=5
Defaults requiretty
Defaults use_pty
We should want to know of any suspicious activity executed with sudo and it is thus a must to enable logging with the logfile parameter. If we do not, sudo sends its logs to syslog together with a lot of other daemons.
The parameters log_input,log_output dump the I/O of the sudo commands onto a series of directories in /var/log/sudo-io. Good to know who does what with sudo…
Lecturing users about the usage of sudo is generally unnecessary, hence lecture=never.
The maximum number of password tries is usually set to 3 before the session is kicked out. We might have a bad day, or CAPS enabled unadvertently, or wrong keyboard layout, etc… so 5 looks more reasonable to me.
The parameter requiretty is used to restrict usage of sudo to existing terminals and thus it can only be used by real users (not by cron, atd, etc).
Finally, the use_pty parameter limits the use of sudo to processes attached to a terminal. So processes running in the background cannot sudo!