sudoers - list of which users may execute what
First things first : Backup your /etc/sudoers file
Always use "visudo"
Keep checking your logs - /var/log/secure - for violations with sudo Files to look out for :
/etc/sudoers
/var/log/secure
visudo* The sudoers file is composed of two types of entries:
1) aliases (basically variables) and
2) user specifications (which specify who may run what).
Imp: When multiple entries match for a user, they are applied in order.
Where there are conflicting values, the last match is used (which is
not necessarily the most specific match).
1. Aliases
There are four kinds of aliases: [All are reserved/key words]
User_Alias
Cmnd_Alias
Runas_Alias
Host_AliasEach alias definition is of the form
Alias_Type NAME = item1, item2, ...
where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
underscore characters ('_'). A NAME must start with an uppercase let-
ter. It is possible to put several alias definitions of the same type
on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
----------------------------------------------------------------------------
E X A M P L E S
----------------------------------------------------------------------------
Example 1
# Define Aliases for easier reading,understanding and future updates
User_Alias HTTPD_FULL = foo
User_Alias HTTPD_RESTRICTED = bar
Cmnd_Alias WEBANY = /etc/init.d/httpd *
Cmnd_Alias WEBRESTART = /etc/init.d/httpd start, /etc/init.d/httpd stop
# User bar can only run the start and stop options while foo can use all
HTTPD_FULL ALL = (ALL) WEBANY
HTTPD_RESTRICTED ALL = (ALL) WEBRESTART
Users in HTTPD_RESTRICTED can run httpd only with the start/stop option while
those in HTTPD_FULL can run it with any arg that is supported viz., restart,
configtest etc
After logging in, this is what foo would have to type :
# sudo /etc/init.d/httpd restart or anything that is supported
After logging in, this is what bar would be able to do ONLY :
# sudo /etc/init.d/httpd stop or start ONLY
bar will not be able to use the other options such as configtest,
reload, status etc
----------------------------------------------------------------------------
Note:
ALL : Built-in cmd alias. If no list of users specified in parentheses, sudo
will run cmds only as root
Note:
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
This means let root and any user in group wheel run any command on any host
as any user.
----------------------------------------------------------------------------
Example 2
foo server = (operator) /bin/ls, (root) /usr/sbin/adduser, /usr/sbin/userdel
User foo is now allowed to run /bin/ls as operator, but /usr/sbin/adduser,
and /usr/sbin/userdel as root on machine server.
After logging in, this is what foo would have to type :
# sudo -u operator /bin/ls
# sudo /usr/sbin/adduser someuser
# sudo /usr/sbin/userdel -r someuser
----------------------------------------------------------------------------
Example 3
foo server = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user foo may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only
as "operator" [must be a Valid Linux User and is created by default by RHL]
on machine server. E.g.,
After logging in, this is what foo would have to type :
# sudo -u operator /bin/ls
----------------------------------------------------------------------------
Example 4
foo server = NOPASSWD: /usr/sbin/adduser, /usr/sbin/userdel
would allow the user foo to run adduser, userdel as root on the machine server
without authenticating himself.
After logging in, this is what foo would have to type :
# sudo /usr/sbin/adduser someuser
# sudo /usr/sbin/userdel -r someuser
No password would be asked in either case
----------------------------------------------------------------------------
Example 5
If we only want foo to be able to run /usr/sbin/adduser without a password
but to delete a user - /usr/sbin/adduser - he will have to give his password
foo server = NOPASSWD: /usr/sbin/adduser, PASSWD : /usr/sbin/userdel
----------------------------------------------------------------------------
Example 6
foo server = NOPASSWD: /usr/bin/*, PASSWD: /bin/ls, /usr/bin/lprm
matches /usr/bin/who but not /usr/bin/X11/xterm.
----------------------------------------------------------------------------
Example 7
# Define Aliases for machines in the Maths and CS depts
Host_Alias CS = cerf, postel, behlendorff, wall, allman, venema
Host_Alias MATHS = newton, leibnitz, fourier, laplace, riemann
# Define Collection of commands
Cmnd_Alias DUMP = /sbin/dump, /sbin/restore
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh, /bin/csh,/bin/bash,/bin/ash,/bin/bsh
# Permissions
foo, bar MATHS = ALL
# Users foo,bar can access all machines in the MATHS group. since no list of
# users is specified in parentheses, sudo will only run cmds as root
superman CS = /usr/sbin/tcpdump : MATHS = (operator) DUMP
# Allows superman to run tcpdump on all CS group machines,and the cmds specifed
# by DUMP on all MATHS group machines but only as operator.
# Hence superman would have to type
# % sudo -u operator /sbin/dump 0u /dev/hda2
flashgordon ALL=(ALL) ALL, !SHELLS
# User flashgordon can run cmds as any user on any machine, except that he can't
# run several common shells. He could beat this limitation with :
# cp -p /bin/csh /tmp/csh
# sudo /tmp/csh
%wheel ALL, !MATHS = NOPASSWD: PRINTING
# All users in group wheel can run lpr, lprm as root on all machines except
# the ones in the MATHS group. Furthermore,no password is reqd to run the cmds.
----------------------------------------------------------------------------
Example 8
User_Alias FULLTIMERS = foo, bar, superman
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (foo, bar, superman) may run any command on any host
without authenticating themselves.
----------------------------------------------------------------------------
Example 9
Full time sysadmins (foo,bar,superman) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag).
PARTTIMERS ALL = ALL
----------------------------------------------------------------------------
More EXAMPLES
Below are example sudoers entries. Some of these are a bit contrived.
First, we define our aliases:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Here we override some of the compiled in default values. We want sudo
to log via syslog(3) using the auth facility in all cases. We don’t
want to subject the full time staff to the sudo lecture, and user
millert need not give a password. In addition, on the machines in the
SERVERS Host_Alias, we keep an additional local log file and make sure
we log the year in each log line since the log entries will be kept
around for several years.
# Override built in defaults
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
The User specification is the part that actually determines who may run
what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
We let root and any user in group wheel run any command on any host as
any user.
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (millert, mikef, and dowdy) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
Part time sysadmins (bostley, jwfox, and crawl) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
jack CSNETS = ALL
The user jack may run any command on the machines in the CSNETS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
in CSNETS, the local machine’s netmask will be used during matching.
lisa CUNETS = ALL
The user lisa may run any command on any host in the CUNETS alias (the
class B network 128.138.0.0).
operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
/usr/oper/bin/
The operator user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
directory /usr/oper/bin/.
joe ALL = /usr/bin/su operator
The user joe may only su(1) to operator.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone’s password except for root on
the HPPA machines. Note that this assumes passwd(1) does not take mul-
tiple usernames on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user bob may run anything on the SPARC and SGI machines as any user
listed in the OP Runas_Alias (root and operator).
jim +biglab = ALL
The user jim may run any command on machines in the biglab netgroup.
Sudo knows that "biglab" is a netgroup due to the ’+’ prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the secretaries netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
The user fred can run commands as any user in the DB Runas_Alias (ora-
cle or sybase) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the ALPHA machines, user john may su to anyone except root but he is
not allowed to give su(1) any flags.
jen ALL, !SERVERS = ALL
The user jen may run any command on any machine except for those in the
SERVERS Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the SERVERS Host_Alias, jill may run any commands in
the directory /usr/bin/ except for those commands belonging to the SU
and SHELLS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
The user steve may run any command in the directory /usr/local/op_com-
mands/ but only as user operator.
matt valkyrie = KILL
On his personal workstation, valkyrie, matt needs to be able to kill
hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the WEBMASTERS User_Alias (will, wendy,
and wim), may run any command as user www (which owns the web pages) or
simply su(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Any user may mount or unmount a CD-ROM on the machines in the CDROM
Host_Alias (orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
forced by policy).
Note:
The sudoers file should always be edited by the visudo command which
locks the file and does grammatical checking.
It is imperative that sudoers be free of syntax errors since sudo will
not run with a syntactically incorrect sudoers file.
FILES
/etc/sudoers List of who can run what
/etc/group Local groups file
/etc/netgroup List of network groups
No comments:
Post a Comment