About
sudo is an command utility that:
- su: switch user su
- and do: execute a command
In other words, it executes a command as another user. (ie it's a proxy authentication utility)
Authorization
It determines who is an authorized user by consulting the sudoers configuration files
Example
sudo -E -i -H -u UserOtherThanRoot
where:
- - H: sets the HOME environment variable to the homedir of the target user
- - u: run the specified command as a user other than root
- -E: takes the environment of the actual user
- -i: run as a login shell. Reading the user environment files.
Configuration Files
sudoers syntax
The sudoers file is composed of two types of entries:
- alias - variable
- user_specification - the rule
When multiple entries match for a user, they are applied in order
Alias
aliases are basically variables that can be user in the user_specification
User_Alias
User_Alias ADMINS = jsmith, mikem
User_Alias WEBMASTERS = will, wendy, wim
RunAsAlias
Runas_Alias - determines the user and/or the group that a command may be run as.
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
Example with a user_specification
dgb boulder = (ADMINGRP) /bin/ls, (root) /bin/kill, /usr/bin/lprm
The user dgb may run on the host boulder:
- /bin/ls as ADMINGRP,
- /bin/kill, and /usr/bin/lprm as root
ie
sudo -u oper /bin/ls
sudo -u adm /bin/ls
sudo /bin/kill
Host Alias
- Host_Alias
Host_Alias SERVERS = master, mail, www, ns
Command alias
Cmnd_Alias: A command alias defines one or more glob expressions that need to match the command entered to allow it to run.
The alis name must be in uppercase
Example:
- The kill command with any arguments
Cmnd_Alias KILL = /usr/bin/kill*
- All shells
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
User specification
User specifications specify who may run what.
Syntax:
user MACHINE=COMMANDS
user MACHINE=(AS) TAGS COMMAND
More specifically in regular expression EBNF (see the sudoers and search for the section User specification)
Example:
%wheel ALL=(ALL) NOPASSWD: ALL
every user in the group wheel may run:
- on any machine ALL (machine)
- as any user (ALL) (run as)
- without any password NOPASSWD: (tag)
- any command ANY (command)
sudoers files
/etc/sudoers
The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.
Open the sudoers file
sudo visudo
/etc/sudoers.d/
The last line of the /etc/sudoers files include others configuration that can be added in the directory /etc/sudoers.d/
The last line is not a comment. A comment in the sudoers file as a space after the hash tag
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Example in Azure they will add the file waagent
sshuser ALL=(ALL) NOPASSWD: ALL
/etc/sudo.conf
The sudo configuration is in the file /etc/sudo.conf
Management
Language of the configuration file
wheel / sudo admin group
If the wheel line is uncommented, you got an admin group.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Any user in the group wheel can run any command on any host as any user.
Example:
cat /etc/group | grep wheel
wheel:x:27:testuser,sshuser
Allow a user to run a command
In a sudoers file add the following rules:
userName ALL=(ALL) NOPASSWD: /full/path/to/command
# or with the alias command named ALIAS_CMD
userName ALL=(ALL) NOPASSWD: ALIAS_CMD
# or
userName ALL=(ALL) NOPASSWD: /full/path/to/command ARG1 ARG2
Example allow the powercenter user to start and stop its services
powercenter ALL=(ALL) NOPASSWD: /sbin/service infa start
powercenter ALL=(ALL) NOPASSWD: /sbin/service infa stop
Disable password prompt
Disable password prompt for all command.
- Open the sudoers file.
sudo visudo
- Append the following line at the bottom of the sudoers file:
<username> ALL=NOPASSWD: ALL
- Save the file and exit the editor.
- Log out and log in to apply the changes.
Test if allowed
run sudo with the -l or -v flags
Example with the su command
sudo -l su
[sudo] password for gerard:
/bin/su
If a user who is not listed in the sudoers file tries to run a command via sudo without the -l or -v flags, mail is sent to the proper authorities, as defined at configure time or the sudoers file (defaults to root).