Linux Help

Sudo Setup Guide   
Printable Version

DJG's Sudo Guide
Created on January 1st, 2000.

sudo is a package which will allow priveleged users to run commands as other users. This is sort of like assigning users to different groups to give them special permissions to files. However, this can allow users acccess to specific commands on specific machines, making it a more effective and more organized way of giving special priveleges to users.

First, you'll have to get the sudo package.

You can get the Debian package(.deb) at ftp://ftp.debian.org/ or by running 'apt-get install sudo'

You can get the RPM at http://www.rpmfind.net/RPM.

And if all else fails, you can always get the tarball http://www.courtesan.com/sudo/

Configuring SUDOers

Now that sudo has been installed, you should find a file called /etc/sudoers.

Before you start editing this file, you need to use a program called visudo, included in the sudo package. This edits provides security checks, parses for errors, and protects against multiple edits of the file.

Visudo takes the editor which is stored in the environment variable VISUAL so to pick an editor, for instance pico, while running a bash shell, enter the command:

export VISUAL="pico -w"

Now, simply type: visudo and it should open /etc/sudoers in that editor.

In /etc/sudoers, you should see something like this:

NOTE: You may see other things, this is what is in Debian's install. There are many options which I do not go over here, for instance how to override defaults. This guide is meant to be a source for creating a basic setup of sudo. You can find anything I did not include in "man sudoers" and "man sudo"

#Host alias specification

#User alias specification

#Cmnd alias specification

#User privilege specification
root	ALL=(ALL) ALL

Here's a sample file, which is not real, but as I walk you through it, you should be able to understand how to setup this file.

Aliases are ways of referring to information by an (usually)easier name. They are sort of like the short hand way of writing something. In our case, aliases can point to 1 piece of information, or can point to groups of information as you'll see below.

Host alias specification

This section makes aliases for hosts. The syntax is:

Host_Alias ALIASFORHOSTNAMES = hostname1, hostname2, etc...

These will allow you to make an alias for sets of hostnames (Or even a single one.)

The two lines below make an alias called "DJNET," which refers to hostnames, djbox1 and djbox2 and an alias called "LINUXHELP," which will refer to hostnames lingroup1,lingroup2.

These hostnames should be referenced in /etc/hosts and you for the hostnames you may use IP addresses, hostnames in /etc/hosts, or other hostnames which may not be found in /etc/hosts.

Host_Alias 	DJNET = djbox1, djbox2
Host_Alias 	LINUXHELP = lingroup1,lingroup2

User alias specification

This section, like the Host Alias section basically is a way of grouping users.

The syntax is:

User_Alias USERGROUPNAMEALIAS = user1, user2, etc...

The below lines make 3 groups, ADMINS, PARTTIME, and LINUXGROUP, each containing different members.

User_Alias 	ADMINS = joe, bill, jake
User_Alias   	PARTTIME = jim, jeff, mike
User_Alias	LINUXGROUP = lyte, SirPlaya

Cmnd alias specification

This section is a way of grouping commands together. The syntax is:

Cmnd_Alias COMMANDALIASNAME = command1,command2,etc...

If you'd like to specify arguments, you can use [] and wildcards to make commands. For instance, one of the below aliases, USERS includes has /usr/sbin/adduser [A-z]*, which means that they can run /usr/sbin/adduser and must have an argument of a 1 or more letters.

Cmnd_Alias 	BROWSE = /bin/ls, /bin/cd, /bin/cat
Cmnd_Alias 	KILL = /bin/kill
Cmnd_Alias 	USERS = /usr/sbin/adduser [A-z]*,/usr/sbin/userdel -r [A-z]*

User privilege specification

This is the User privilege section. This is where you give out the special priveleges to users, or user aliases using the aliases we have created above.

The syntax is:

USER HOST=COMMANDS Where USER can be either a user name or user alias, as well as HOST and COMMANDS.

The below line allows root access to everything... this shouldn't be a problem as root can do whatever he/she wants anyway.

root	ALL=(ALL) ALL

This next line will allow the users specified in the ADMINS alias (joe, bill, and jake) and give them access to everything as well.

ADMINS ALL=ALL

This next line will show you another interesting feature of sudo. This allows the users in the PARTTIME alias (jim,jeff,mike) to do all of the commands listed in USERS,KILL,and BROWSE aliases on all servers. In addition to that, they may run /usr/bin/passwd followed by a 1 letter word or more(username of password to change) but the last option says that they CANNOT change root's password. ! is used to represent the word "NOT"

PARTTIME ALL=USERS,KILL,BROWSE,/usr/bin/passwd [A-z]*, !/usr/bin/passwd root

This next line allows user "djg" access to everything on the hosts listed in the alias DJNET(djbox1 and djbox2). It IS my network after all. :)

djg DJNET=ALL

Finally, this last line allows the users listed in the alias LINUXGROUP (lyte and SirPlaya) access to ALL commands as user "www" and to all of the commands listed in the aliases KILL,USERS, and BROWSE on the servers listed in the alias LINUXHELP(lingroup1 and lingroup2).

To specify that commands can be run as a user other than root, put the username in () in front of the commands. If you need to use root after that, you will have to specify it as seen below.

LINUXGROUP LINUXHELP=(www) ALL (root) KILL,USERS,BROWSE

Now that /etc/sudoers is configured properly, save it and exit visudo. If there are any errors, it should tell you.

USING SUDO

To list what you are allowed to do with sudo:

djg@localhost:~ $ sudo -l
Password:   (Enter your password here)
User djg may run the following commands on this host:

(Here will be what you are allowed to do. It will follow the form of /etc/sudoers)

To use a privelege:

djg@localhost:~ sudo -u usertoruncommandas commandhere
Password: (Enter your password here)
(The command will then execute if everything is ok)

Flag -u will default to user root so if you're running a command as root, it's not necessary, simply use: sudo commandhere.

In some cases, it may not prompt you for a password. By default, sudo will allow you to go 5 minutes without entering a sudo command before it asks you for a password again. Again, as I said before, I don't go over how to change that in this guide. Everything you'll need is in the man pages. At some point, I may add that section to this guide.

Now you should have a fully working sudo package and now users can have special priveleges.


Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!


Copyright © 1997 - 2014 Private World Domination Inc. All rights reserved.
Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
| Contact Us | Link to Us | RSS Feed | Staff |

DNS Hosting by easyDNS