Sudo
From Zanecorpwiki
Contents |
Overview
sudo is a handy little program that let's one user perform operations as another user. Most commonly, this is used to allow non-root users to do root things without logging in as root. By default (on most distros), sudo is configured to allow anyone to do anything as root if they know the root password. This is convenient and relatively safe, though on ultra-secure boxes you may want to change this behavior.
sudo is configured with the /etc/sudoers file. The basic syntax is:
<user name> <host list> = <(execute as)> <tags>: <command list>
You can also negate items in lists and include aliases for groups of users, hosts, run-as, and commands.
Common Examples
For example:
root ALL=(ALL) ALL
is a common entry that allows root to execute any command (last ALL) as any user (ALL in parenthesis) on any host (first ALL).
For small installations, the host stuff can be set to 'ALL' without much concern. The idea behind the host parameters is that a single sudoers file can be safely distributed to many hosts and is very useful for larger installations.
One common situation where sudo is useful is when there's a service user (like 'tomcat') and many different admins. We want each admin (bob, sue, etc.) to login as themselves, but to be able to easily do stuff as the tomcat user, like start and stop services. So, we might have something like:
bob, sue production,qa=(tomcat) NOPASSWD: /home/tomcat/bin/startcatalina, /home/tomcat/bin/stopcatalina
This allows bob and sue to run the startcatalina and stopcatalina commands without requiring any additional passwords. Another option would be to say:
bob, sue production,qa=(tomcat) NOPASSWD: /home/tomcat/bin/startcatalina, /home/tomcat/bin/stopcatalina
To require bob and sue to re-authenticate using their own passwords--a good security practice for sensitive commands--then you'd do:
Defaults !targetpw bob, sue production,qa=(tomcat) /home/tomcat/bin/startcatalina, /home/tomcat/bin/stopcatalina
Note you can leave off the '!targetpw' if Default targetpw is not found earlier in the file, but in most cases, it will be there (see Standard Configuration).
Standard Configuration
The standard sudo configuration goes something like this:
Defaults targetpw ALL ALL=(ALL) ALL root ALL=(ALL) ALL
The second line allows anyone to execute anything anywhere as anyone. This can be useful, but must be combined with the first line, which changes the default behavior for how users authenticate. By default sudo would ask the invoking user their own password, which, when everyone can execute anything as anyone (including root), would be terrible. With 'targetpw', the user must know the password for the 'run as' user. In other words, sudo /sbin/mount without targetpw asks for the invoking user's password. With targetpw, it asks for the root password (what we want).
Options in the config file apply for all following directives until the option is changed. So, if you wanted to revert to default behavior for other directives, you would do:
Defaults targetpw ALL ALL=(ALL) ALL root ALL=(ALL) ALL Defaults !targetpw admin ALL=(root) /sbin/mount
Which would allow admin to run mount using their own password to authenticate.
Aliases and Defaults
The default behavior of sudo can be changed via the Defaults directive. We saw an example of this in Standard Configuration with 'targetpw', but take a look at the manual for other options.
Another very useful bit, especially for larger installations or just organizing the file, is to create aliases. You can create aliases for groups of users, hosts, and commands. For instance, continuing on our previous example, we might organize our lists as follows:
ADMINS = bob, sue TOMCAT_CMDS = /home/tomcat/bin/startcatalina, /home/tomcat/bin/stopcatalina SERVERS = production, qa ... ADMINS SERVERS=(tomcat) NOPASSWD: TOMCAT_CMDS
