sudo setup

Share your own howto's etc. Not for support questions!

sudo setup

Postby gnudude » 2009-09-22 18:46

Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

You edit the /etc/sudoers file by using the visudo command which performs some error checking on the file. The visudo command uses the default editor in the Debian alternatives system. To change which editor is the default, use the update-alternatives --config editor command and select your preferred editor.

To setup sudo add one or more of the following code examples to that file and save it.


if you want to give sudo power for one specific command to one specific user
Code: Select all
user ALL= /usr/sbin/command
(replace user with the username)(replace command with the actual command)


if you want to give sudo power for one specific command with no password requirement to one specific user on the system
Code: Select all
user ALL= NOPASSWD: /usr/sbin/command
(replace user with the username)(replace command with the actual command)


if you want to give sudo power for all commands to one specific user
Code: Select all
user ALL=(ALL) ALL
(replace user with the username)


if you want to give sudo power for all commands with no password requirement to one specific user
Code: Select all
user ALL=(ALL) NOPASSWD: ALL
(replace user with your username)


if you want to give sudo power for all commands to all users on the system
Code: Select all
ALL ALL=(ALL) ALL



if you want to give sudo power for all commands with no password requirement to all users on the system
Code: Select all
ALL ALL=(ALL) NOPASSWD: ALL



if you want to give sudo power for one specific command to a group on the system
Code: Select all
%group ALL = /usr/sbin/command
(replace group with the desired groupname)(replace command with the actual command)


if you want to give sudo power with no password requirement for one specific command to a group on the system
Code: Select all
%group ALL = NOPASSWD: /usr/sbin/command
(replace group with the desired groupname)(replace command with the actual command)


if you want to give sudo power for all commands to a group on the system
Code: Select all
%group ALL = (ALL) ALL
(replace group with the desired groupname)


if you want to give sudo power for all commands with no password requirement to a group on the system
Code: Select all
%group ALL = (ALL) NOPASSWD: ALL
(replace group with the desired groupname)


for even more examples see the next post :shock:
Last edited by gnudude on 2009-09-24 00:13, edited 14 times in total.
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby gnudude » 2009-09-22 18:47

#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim

##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase

##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn

##
# Override built-in defaults
##
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL

# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL

# part time sysadmins may run anything but need a password
PARTTIMERS ALL = ALL

# jack may run anything on machines in CSNETS
jack CSNETS = ALL

# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL

# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
/usr/oper/bin/

# joe may su only to operator
joe ALL = /usr/bin/su operator

# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL

# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL

# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL

# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL

# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS

# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/

# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL

# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www

# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby Lavene » 2009-09-22 19:59

gnudude wrote:To setup sudo you should edit the /etc/sudoers file by using the visudo command but you can also edit it by opening the file in your favorite editor.

Maybe you should add that visudo actually do some syntax checking of your sudoers file before saving it. You miss out on that feature if you edit it calling the editor directly. It also uses your default editor so you're not stuck with vi...
Lavene
Site admin
 
Posts: 5098
Joined: 2006-01-04 04:26
Location: Oslo, Norway

Re: sudo setup

Postby gnudude » 2009-09-23 00:27

ok doke
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby Soul Singin' » 2009-09-23 02:28

Thanks for taking the time to write this HowTo. It should be particularly valuable to users who are making the well-worn switch from Ubuntu to Debian.

gnudude wrote:You edit the /etc/sudoers file by using the visudo command. The visudo command uses your favorite editor and also performs some error checking on the file.

By default, the editor is Nano, if you would like to change it, you would run:
Code: Select all
update-alternatives --config editor



gnudude wrote:if you want to give sudo power for all commands to one specific user
Code: Select all
user ALL=(ALL) NOPASSWD: ALL
(replace user with the username)

if you want to give sudo power for all commands with no password requirement to one specific user
Code: Select all
user ALL=(ALL) NOPASSWD: ALL
(replace user with your username)

Shouldn't the first one be:
Code: Select all
user ALL = (ALL)  ALL

and the second one be:
Code: Select all
user ALL = NOPASSWD: ALL

:?:

If you have the time, you may also want to add a discussion of the proper use of sudo, such as avoiding shell escapes and limiting the set of commands that a user may run with root privileges.

Nice guide.
.
User avatar
Soul Singin'
 
Posts: 1466
Joined: 2008-12-21 07:02

Re: sudo setup

Postby jalu » 2009-09-23 05:02

%wheel ALL = (ALL) ALL

what the hell is group wheel? foreign infiltration? conspiracy? or too much free lsd?

http://wiki.welmers.net/en/Disallow_SuToRoot_on_Debian
jalu
 
Posts: 1397
Joined: 2008-11-19 23:26

Re: sudo setup

Postby gnudude » 2009-09-23 10:59

jalu wrote:what the hell is group wheel?

old school security group :wink:
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby gnudude » 2009-09-23 11:03

Soul Singin' wrote:By default, the editor is Nano, if you would like to change it, you would run:
Code: Select all
update-alternatives --config editor

ok doke

Shouldn't the first one be....and the second one be:

oopsy...too much copy and paste going on

If you have the time, you may also want to add a discussion of the proper use of sudo, such as avoiding shell escapes and limiting the set of commands that a user may run with root privileges.

I would if I thought anyone cared....and if I understood it myself. :lol:

sudo yuck
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby dbbolton » 2009-09-24 17:00

gnudude wrote:if you want to give sudo power for all commands with no password requirement to one specific user ...


Wrong. The code is:

Code: Select all
WINDOWS_MODE=true
Last edited by dbbolton on 2009-09-24 22:40, edited 1 time in total.
GitHub | zsh docs in Letter PDF

Telemachus wrote:Put down the CGI.
User avatar
dbbolton
 
Posts: 2131
Joined: 2007-06-20 08:17
Location: Iapetus

Re: sudo setup

Postby gnudude » 2009-09-24 18:20

must be the newer version of sudo :lol:
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

Postby dbbolton » 2009-09-24 22:40

gnudude wrote:must be the newer version of sudo :lol:


Just checked it out from SVN last night. Erotic avatar, by the way.
GitHub | zsh docs in Letter PDF

Telemachus wrote:Put down the CGI.
User avatar
dbbolton
 
Posts: 2131
Joined: 2007-06-20 08:17
Location: Iapetus

Re: sudo setup

Postby Rocky140 » 2009-10-08 10:02

Hmm I see.

Well let me give you a little bit of background. There are only two users of our HP-UX servers. The two of us are both administrators and regularly use the root account. I cannot rely on the other admin to type sudo in order for it to log his actions.

SOX is making us give a paper trail as to which one of us are using the root account when and what we are doing while logged in as root. I believe sudo will give me the proper logging. I have also looked at Symark's Powerbroker. While extremely powerful, it is overkill. Any suggestions?
Last edited by Rocky140 on 2009-10-12 07:24, edited 1 time in total.
Rocky140
 
Posts: 10
Joined: 2009-10-07 06:16

Re: sudo setup

Postby bugsbunny » 2009-10-11 17:01

sudo will give you the desired logging. You can always do what ubuntu does and remove the root password, then your coworker will have to use sudo (unless he turns the root password back on).

Ultimately the desire for an audit trail for root is stupid, since anyone with true root can easily work around it. Now you could lock your co-worker out of changing the root password by limiting what he can do with sudo, but then you may get into a power struggle on a personal level. (Is he really your equal? If so I wouldn't go that route). You could lock both of you out of changing it - meaning that there's no way to get true root without a reboot.
User avatar
bugsbunny
 
Posts: 5355
Joined: 2008-07-06 17:04

Re: sudo setup

Postby saulgoode » 2009-10-11 21:49

@Rocky,
If you are using BASH, you might modify your history set up (by editing /root/.bashrc, adding the lines specified below) so that it
  • maintains a more complete record
      HISTFILESIZE=100000000 # let the history file be up to 100Mb in size
      HISTSIZE=1000000
      # and retain up to a million commands
  • timestamps all of the commands
      HISTTIMEFORMAT="%F.$R"
  • saves to separate file upon exiting the shell
      HISTFILE=.bash_history$(date +%F.%R)

You might also consider setting an environment variable such as $ADMINNAME and including that information in the HISTFILE name (to distinguish yourself from the other administrator). An alternate approach would to use /root/.bash_logout to copy the existing /root/.bash_history to a safe location and just saving the new one to /root/.bash_history.

As bugsbunny stated, a root-privileged user intent on doing so could bypass such logging efforts, but then the same is pretty much true for a SUDO-privileged user.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1519
Joined: 2007-10-22 11:34


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: timbgo and 3 guests

fashionable