sudo13 Apr 2019 • Leave Comments
sudo allows a permitted user to execute a command as the superuser (by default) or another user (if provided), as specified by a security policy.
Different security policies are supported by a plugin architecutre. The official security plicy is sudoers, configured via the file /etc/sudoers or via LDAP. Third party developers can distribute their own policy to work seamlessly with the sudo front end.
Security policy plugin is configured in the /etc/sudo.conf file.
[root@host ~]# pacman -S sudo [root@host ~]# sudo -ll -U username
Check the 'SUDOERS FILE FORMAT' section in the man page of suoers(5). Basically, syntax is prescribed with Extented Backus-Naur Form (EBNF). Do not despair if you are unfamiliar with EBNF; it is fairly simple and take the chance to study it.
An EBNF definition looks like:
symbol ::= definition | alternate1 | alternate2
Special characters '?' (optional, 0 or 1), '*' (zero or more), and '+' (one or more) mean the same thing as regular expression. Single quotes denote verbatim character string as opposed to a defined symbol (variable) name. The rest part of EBNF of sudoer is left to yourself.
The sudoers file is composed of two types of entries: alias and user specification. The advantage of alias is to group multiple items together and assign a meaningful label. There exist four kinds of aliases, namely 'User_Alias', 'Runas_Alias', 'Host_Alias' and 'Cmd_Alias'. When there exist only few accounts and hostnames concerned, alias is optional.
When a username is matched by multiple entries, they are applied in order but only the last match takes effect. Let's forget about EBNF and alias part (not the focus of this post), here is the simplified user specification:
USER HOSTNAME = (RUNAS_USER) COMMANDS
USER is the primary key, for which this entry is designated.
It can be a user name (i.e. 'jim'), user ID ('#1000'), group name ('%wheel'), group ID ('%#10') etc.
HOSTNAME defines the location where this user specification takes effect. The sudoers file can be shared among multiple systems.
This field can be hostname, IP address, network range etc.
- COMMANDS specifies what commands can be executed.
'(RUNAS_USER)' means to execute COMMANDS as another user account. It is applied to commands followed.
This is an optional field with parentheses. By default, it is root.
The columns are divided into two groups by '=', namely the left side and the right side.
The left side defines the object while the right side defines the actions.
Multiple items within a field is separated by comma.
'ALL', a special field value, matches anything.
jim localhost = (operator) /bin/ls, (root) /bin/kill, /usr/bin/apg
This entry means on localhost, account jim can run /bin/ls as acount operator; he can also run /bin/kill and /usr/bin/apg as root.
There are also other interesting fields like 'NOPASSWD:', which is left to yourself.
- To modify configuration files, please use command visudo.
Personally, I'd like to put per-user configuration under /etc/sudoers.d/.
To make the directory loaded, add the
#includedirdirective in /etc/sudoers. As per the man page, sudo will read each file in /etc/sudoers.d, skipping file names that contain a dot '.' or end in a tilde '~'. Hence, if the username contains a dot, then file '/etc/sudoers.d/username' is probably ignored!
[root@host ~]# visudo -f /etc/sudoers [root@host ~]# visudo -f /etc/sudoers.d/username # gray localhost = (jim) ALL %wheel ALL = (root) /bin/iptables
Once finished editting, use the option
-c to verify syntax.
[root@host ~]# visudo -c -f /etc/sudoers [root@host ~]# visudo -c -f /etc/sudoers.d/username
Then check the result:
[root@host ~]# sudo -ll -U username
[username@host ~]$ sudo command [username@host ~]$ sudo -u another-username command
When to edit a protected file, sudoedit /path/to/file is preferred than
sudo vim /path/to/file.