Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

sudo setup

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Post Reply
Message
Author
gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

sudo setup

#1 Post by gnudude »

Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.

You edit the /etc/sudoers file by using the visudo command which performs some error checking on the file. The visudo command uses the default editor in the Debian alternatives system. To change which editor is the default, use the update-alternatives --config editor command and select your preferred editor.

To setup sudo add one or more of the following code examples to that file and save it.


if you want to give sudo power for one specific command to one specific user

Code: Select all

user ALL= /usr/sbin/command
(replace user with the username)(replace command with the actual command)


if you want to give sudo power for one specific command with no password requirement to one specific user on the system

Code: Select all

user ALL= NOPASSWD: /usr/sbin/command
(replace user with the username)(replace command with the actual command)


if you want to give sudo power for all commands to one specific user

Code: Select all

user ALL=(ALL) ALL
(replace user with the username)


if you want to give sudo power for all commands with no password requirement to one specific user

Code: Select all

user ALL=(ALL) NOPASSWD: ALL
(replace user with your username)


if you want to give sudo power for all commands to all users on the system

Code: Select all

ALL ALL=(ALL) ALL

if you want to give sudo power for all commands with no password requirement to all users on the system

Code: Select all

ALL ALL=(ALL) NOPASSWD: ALL

if you want to give sudo power for one specific command to a group on the system

Code: Select all

%group ALL = /usr/sbin/command
(replace group with the desired groupname)(replace command with the actual command)


if you want to give sudo power with no password requirement for one specific command to a group on the system

Code: Select all

%group ALL = NOPASSWD: /usr/sbin/command
(replace group with the desired groupname)(replace command with the actual command)


if you want to give sudo power for all commands to a group on the system

Code: Select all

%group ALL = (ALL) ALL
(replace group with the desired groupname)


if you want to give sudo power for all commands with no password requirement to a group on the system

Code: Select all

%group ALL = (ALL) NOPASSWD: ALL
(replace group with the desired groupname)


for even more examples see the next post :shock:
Last edited by gnudude on 2009-09-24 00:13, edited 14 times in total.

gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

#2 Post by gnudude »

#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim

##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase

##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn

##
# Override built-in defaults
##
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL

# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL

# part time sysadmins may run anything but need a password
PARTTIMERS ALL = ALL

# jack may run anything on machines in CSNETS
jack CSNETS = ALL

# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL

# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
/usr/oper/bin/

# joe may su only to operator
joe ALL = /usr/bin/su operator

# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL

# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL

# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL

# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL

# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS

# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/

# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL

# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www

# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

Lavene
Site admin
Site admin
Posts: 4958
Joined: 2006-01-04 04:26
Location: Oslo, Norway

Re: sudo setup

#3 Post by Lavene »

gnudude wrote:To setup sudo you should edit the /etc/sudoers file by using the visudo command but you can also edit it by opening the file in your favorite editor.
Maybe you should add that visudo actually do some syntax checking of your sudoers file before saving it. You miss out on that feature if you edit it calling the editor directly. It also uses your default editor so you're not stuck with vi...

gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

#4 Post by gnudude »

ok doke

User avatar
Soul Singin'
Posts: 1605
Joined: 2008-12-21 07:02

Re: sudo setup

#5 Post by Soul Singin' »

Thanks for taking the time to write this HowTo. It should be particularly valuable to users who are making the well-worn switch from Ubuntu to Debian.
gnudude wrote:You edit the /etc/sudoers file by using the visudo command. The visudo command uses your favorite editor and also performs some error checking on the file.
By default, the editor is Nano, if you would like to change it, you would run:

Code: Select all

update-alternatives --config editor
gnudude wrote:if you want to give sudo power for all commands to one specific user

Code: Select all

user ALL=(ALL) NOPASSWD: ALL
(replace user with the username)

if you want to give sudo power for all commands with no password requirement to one specific user

Code: Select all

user ALL=(ALL) NOPASSWD: ALL
(replace user with your username)
Shouldn't the first one be:

Code: Select all

user ALL = (ALL)  ALL
and the second one be:

Code: Select all

user ALL = NOPASSWD: ALL
:?:

If you have the time, you may also want to add a discussion of the proper use of sudo, such as avoiding shell escapes and limiting the set of commands that a user may run with root privileges.

Nice guide.
.

jalu
Posts: 1389
Joined: 2008-11-19 23:26

Re: sudo setup

#6 Post by jalu »

%wheel ALL = (ALL) ALL
what the hell is group wheel? foreign infiltration? conspiracy? or too much free lsd?

http://wiki.welmers.net/en/Disallow_SuToRoot_on_Debian

gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

#7 Post by gnudude »

jalu wrote:what the hell is group wheel?
old school security group :wink:

gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

#8 Post by gnudude »

Soul Singin' wrote:By default, the editor is Nano, if you would like to change it, you would run:

Code: Select all

update-alternatives --config editor
ok doke
Shouldn't the first one be....and the second one be:
oopsy...too much copy and paste going on
If you have the time, you may also want to add a discussion of the proper use of sudo, such as avoiding shell escapes and limiting the set of commands that a user may run with root privileges.
I would if I thought anyone cared....and if I understood it myself. :lol:

sudo yuck

User avatar
dbbolton
Posts: 2129
Joined: 2007-06-20 08:17
Location: Iapetus

Re: sudo setup

#9 Post by dbbolton »

gnudude wrote:if you want to give sudo power for all commands with no password requirement to one specific user ...
Wrong. The code is:

Code: Select all

WINDOWS_MODE=true
Last edited by dbbolton on 2009-09-24 22:40, edited 1 time in total.
GitHub | zsh docs in Letter PDF
Telemachus wrote:Put down the CGI.

gnudude
Posts: 1684
Joined: 2009-04-05 17:30
Location: gone....

Re: sudo setup

#10 Post by gnudude »

must be the newer version of sudo :lol:

User avatar
dbbolton
Posts: 2129
Joined: 2007-06-20 08:17
Location: Iapetus

Re: sudo setup

#11 Post by dbbolton »

gnudude wrote:must be the newer version of sudo :lol:
Just checked it out from SVN last night. Erotic avatar, by the way.
GitHub | zsh docs in Letter PDF
Telemachus wrote:Put down the CGI.

Rocky140

Re: sudo setup

#12 Post by Rocky140 »

Hmm I see.

Well let me give you a little bit of background. There are only two users of our HP-UX servers. The two of us are both administrators and regularly use the root account. I cannot rely on the other admin to type sudo in order for it to log his actions.

SOX is making us give a paper trail as to which one of us are using the root account when and what we are doing while logged in as root. I believe sudo will give me the proper logging. I have also looked at Symark's Powerbroker. While extremely powerful, it is overkill. Any suggestions?
Last edited by Rocky140 on 2009-10-12 07:24, edited 1 time in total.

User avatar
bugsbunny
Posts: 5354
Joined: 2008-07-06 17:04
Been thanked: 1 time

Re: sudo setup

#13 Post by bugsbunny »

sudo will give you the desired logging. You can always do what ubuntu does and remove the root password, then your coworker will have to use sudo (unless he turns the root password back on).

Ultimately the desire for an audit trail for root is stupid, since anyone with true root can easily work around it. Now you could lock your co-worker out of changing the root password by limiting what he can do with sudo, but then you may get into a power struggle on a personal level. (Is he really your equal? If so I wouldn't go that route). You could lock both of you out of changing it - meaning that there's no way to get true root without a reboot.

User avatar
saulgoode
Posts: 1445
Joined: 2007-10-22 11:34
Been thanked: 4 times

Re: sudo setup

#14 Post by saulgoode »

@Rocky,
If you are using BASH, you might modify your history set up (by editing /root/.bashrc, adding the lines specified below) so that it
  • maintains a more complete record
    • HISTFILESIZE=100000000 # let the history file be up to 100Mb in size
      HISTSIZE=1000000
      # and retain up to a million commands
  • timestamps all of the commands
    • HISTTIMEFORMAT="%F.$R"
  • saves to separate file upon exiting the shell
    • HISTFILE=.bash_history$(date +%F.%R)
You might also consider setting an environment variable such as $ADMINNAME and including that information in the HISTFILE name (to distinguish yourself from the other administrator). An alternate approach would to use /root/.bash_logout to copy the existing /root/.bash_history to a safe location and just saving the new one to /root/.bash_history.

As bugsbunny stated, a root-privileged user intent on doing so could bypass such logging efforts, but then the same is pretty much true for a SUDO-privileged user.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan

Post Reply