sudo command

Sudo command enables the execution of commands with the privileges of another user (including root). Hence, it allows far more fine-grained control of what users can do than su. The configuration file for the sudo utility is /etc/sudoers. Let’s have a look at some entries in /etc/sudoers to get to know how to customise it:

  root        ALL = (ALL)   ALL
%wheel        ALL = (ALL)   ALL

The commands above state that “root” and users belonging to the wheel group can execute any command, in any host as any other user. The format of a sudo record should be:

user | group       command = [host]     alt_user

The 1st parameter (root & wheel) lists the users or groups (by name or UID/GID), from localhost or network (LDAP, NIS, NIS+) that the rule applies to. This list can be a mixture of comma-separated values:

Format                  Description                          Example
username                user name                            john
#uid                    user ID                              #1004
%group                  group name                           %wheel
%#gid                   group ID                             %#923
+netgroup               NIS group                            +admins
%:nounix_group          external user (eg LDAP or AD)        %:sysad
%:#nounix_gid           external group                       %:#sysadmins
User alias              previously specified alias           ADMIN_GRP

The 2nd parameter (ALL before =) states the hosts to which the rule applies. It is set to ALL by default so that the sudoers configuration can be shared across multiple servers (e.g. we might have an rsync running every night overwritting sudoers across the state). If we want the rule to apply to just one or a few hosts, we can list them here. But care should be taken because of the limitations of sudo in this respect. For example, IP 127.0.0.1 or localhost won’t be understood. If we state a host explicitly, it is best to state the IP with netmask (e.g. 192.168.100.67/24) or the hostname with wildcards (nfsserver1*).

The 3rd parameter states the user or group the command can be run as and it can be split in two: username & group. For example:

        %wheel ALL = (oracle:dba) ORACLE_HOME/bin/*

The command above would let all users in the wheel group run any binary in the ORACLE_HOME as user oracle or group dba. We can also state multiple users and groups…

        %wheel ALL = (oracle, oinstall : dba, oinstall) ORACLE_HOME/bin/*

If we are a wheel user and then we need to execute a certain command as user oracle or group dba, we would do so as follows:

marc:~> sudo -­u oracle $ORACLE_HOME/sqlplus / as sysdba
marc:~> sudo ­-g dba $ORACLE_HOME/sqlplus / as sysdba

The 4th parameter is the command or list of commands that can be run with the optional “NOPASSWD:” clause in front.

If some of the parameters are too long for comfortable reading or are repeated a few times, then we can use aliases. There are 4 types of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Some examples of aliasing can be found in the default /etc/sudoers:

# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
.
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
.
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :
SGI = grolsch, dandelion, black :
ALPHA = widget, thalamus, foobar :
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
.
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,/usr/sbin/restore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, /usr/bin/rsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
.
root   ALL = (ALL) ALL
%wheel ALL = (ALL) ALL

The options for customisation sudo offers are many so it’s best to check the man pages for sudo and /etc/sudoers and Google examples. But we shall close this overview with a few more examples.

The next command grants user marc permission to run the shutdown command from any machine on the local network without being prompted for a password.

     marc 192.168.0.0/24 = (root) NOPASSWD : /sbin/shutdown -­h now

The next command grants user peter the right to change password for any user other than root in the given network.

     peter  192.168.0.0/24 = /usr/bin/passwd [A­Za­z0­9]+, !/usr/bin/passwd root

The next command grants users in the wheel group the right to run any command in the given B class network except for the hostname master1 and the subnet 192.168.100.0/24.

     %wheel  192.168.0.0/16, !master1.bogomips.net, !192.168.100.0/24 = (ALL) ALL

<< su command          Access Control Lists >>