SH - Sudo (Switch User and do)

1 - About

sudo execute a command as another user

sudo determines who is an authorized user by consulting the sudoers configuration files

See also:

3 - Example


sudo -H -u UserOtherThanRoot

where:

  • - H: sets the HOME environment variable to the homedir of the target user
  • - u: run the specified command as a user other than root

4 - Configuration Files

4.1 - sudoers syntax

The sudoers file is composed of two types of entries:

When multiple entries match for a user, they are applied in order

sudoers

4.1.1 - Alias

aliases are basically variables that can be user in the user specification

4.1.1.1 - User_Alias

User_Alias ADMINS = jsmith, mikem
User_Alias WEBMASTERS = will, wendy, wim

4.1.1.2 - RunAsAlias

Runas_Alias - determines the user and/or the group that a command may be run as.


Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper

Example with a user specification


dgb boulder = (ADMINGRP) /bin/ls, (root) /bin/kill, /usr/bin/lprm

The user dgb may run on the host boulder:

  • /bin/ls as ADMINGRP,
  • /bin/kill, and /usr/bin/lprm as root

ie


sudo -u oper /bin/ls
sudo -u adm /bin/ls
sudo /bin/kill

4.1.1.3 - Host Alias
  • Host_Alias

Host_Alias SERVERS = master, mail, www, ns

4.1.1.4 - Command alias
  • Cmnd_Alias - define a command to run. Example:

Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\

4.1.2 - User specification

User specifications specify who may run what.

Syntax:


user	MACHINE=COMMANDS

user MACHINE=(AS) TAGS COMMAND

More specifically in regular expression EBNF (see the sudoers and search for the section User specification)

Example:


%wheel	ALL=(ALL) NOPASSWD: ALL

every user in the group wheel may run:

  • on any machine ALL (machine)
  • as any user (ALL) (run as)
  • without any password NOPASSWD: (tag)
  • any command ANY (command)

4.2 - sudoers files

4.2.1 - /etc/sudoers

The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.

Open the sudoers file


sudo visudo

4.2.2 - /etc/sudoers.d/

The last line of the /etc/sudoers files include others configuration that can be added in the directory /etc/sudoers.d/

The last line is not a comment. A comment in the sudoers file as a space after the hash tag

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Example in Azure they will add the file waagent


sshuser ALL=(ALL) NOPASSWD: ALL

4.3 - /etc/sudo.conf

The sudo configuration is in the file /etc/sudo.conf

sudo.conf

5 - Management

Language of the configuration file

5.1 - wheel / sudo admin group

If the wheel line is uncommented, you got an admin group.


## Allows people in group wheel to run all commands
%wheel	ALL=(ALL) ALL

Any user in the group wheel can run any command on any host as any user.

Example:


cat /etc/group | grep wheel


wheel:x:27:testuser,sshuser

5.2 - Allow a user to run a command

In a sudoers file add the following rules:


userName ALL=(ALL) NOPASSWD: /full/path/to/command
# or
userName ALL=(ALL) NOPASSWD: /full/path/to/command ARG1 ARG2

Example allow the powercenter user to start and stop its services


powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa start
powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa stop

5.3 - Disable password prompt

Disable password prompt for all command.

  • Open the sudoers file.

sudo visudo

  • Append the following line at the bottom of the sudoers file:

<username> ALL=NOPASSWD: ALL

  • Save the file and exit the editor.
  • Log out and log in to apply the changes.

5.4 - Test if allowed

run sudo with the -l or -v flags

Example with the su command


$ sudo -l su


[sudo] password for gerard:
/bin/su

If a user who is not listed in the sudoers file tries to run a command via sudo without the -l or -v flags, mail is sent to the proper authorities, as defined at configure time or the sudoers file (defaults to root).

6 - Documentation / Reference


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap