2007/02/16

sudo: sudoers examples

Sudo can be used allow users to execute certain commands as other users (including root) on certain machines, with logging.

Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin

See what access is allowed with "sudo -l".

The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).

## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.

# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com

# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane

# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom

# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su

Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now

# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Default:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
# global defaults - log to a specific file.
Defaults logfile=/var/log/sudo.log, log_year

# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
#
user/%group hostname = (user) command
# by default, root can do all commands as all users

root ALL=(ALL) ALL

# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)

jake,jim LOCAL = NOPASSWD: /sbin/service crond restart

# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.

MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT

# members of the group "wheel" can run, on all hosts, all commands as all users

%wheel ALL=(ALL) ALL

3 comments:

Mr. Muskrat said...

I just ran across this post and wanted to point out that the example you found at http://www.gratisoft.us/sudo/sample.sudoers is exactly the same as the official sudoers example file http://www.sudo.ws/sudo/sample.sudoers.

Maybe you explain your problems with it to the sudo maintainers?

Lane said...

If the goal is "least privilege", then we would only grant privileges to execute specific tasks; we would never grant "everything *but*".

If we grant "everything *but*", then whatever we don't want the user to do, the user can copy that forbidden item to a new file or some such, and then execute it.

I guess the ! could keep honest people honest, but will not stop any attempt to circumvent the limitations.

Anonymous said...

Hi,

from the manpage is see something like this:
SECURITY NOTES
It is generally not effective to ``subtract'' commands from ALL
using the '!' operator...

For me sudo is for limiting internal users. So I use "!/path/to/bla" as well. In case of an unwanted user action, everything is logged and that helps much :-)

Regards, tcpdump