sudo command & sudoers file : Concepts and Practical examples

super

Introduction

This post will give you the mains concepts and required knowledge to correctly understand the sudo command and the configuration of its configuration sudoers file.

1 Generalities

1.1 sudo command : Definition

The sudo command is basically a command that allow one user to execute a command as another user. It is commonly used to allow basic users to execute commands usually reserved to the root user (a user typically used by administrators), such as the kill, mount, adduser commands.

One thing that sometimes put basic users in trouble is the password you are prompted to : Which password is it ? is it the root password ?

To these questions the answers are generally : NO (actually it NEVER the root password you are prompted for : it would be a non-sense, isn’t it ?) But as stated in the definition section above, the sudo command allow one user to execute a command as another user. This means that the password you are actually prompted to is the “another user” password, whom could virtually be any user (not only the root user).

 

1.1 sudoers file : Definition

The sudoers file (/etc/sudoers by default, but another file may be specified) is the “List of who can run what”. The file is basically built over 2 kind of data :

  1. Aliases : Aliases are variables that stores multiples entries that fit the same domain (users, hosts, commands).
    There are 4 kind of Aliases as :
  1. User_Alias
  2. Runas_Alias
  3. Host_Alias
  4. Cmnd_Alias
  • Users specifications : This is where all informations are compiled into a effective one-liner.

 

1.2 sudo : Usage

The sudo command itself is quite simple. Its basic syntax is :

sudo 'command'

To this basic syntax you may add some stuff to :

  • Check whether or not you are in the sudoers file and what are the forbidden/allowed commands for you or another user with a “-U” option : sudo -l or sudo -ll (for a long list format)  or sudo -l -U
    Matching Defaults entries for pier on this host:
     requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
     KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
     LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
     LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
     LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
     XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
     User pier may run the following commands on this host:
     (root) /sbin/mount /mnt/cdrom, (root) /sbin/umount /mnt/cdrom, (root)
     /bin/rpm, /usr/bin/up2date, /usr/bin/yum
  • Launch the command as the user <user> : sudo -u ;
  • Launch a login shell (and therefore load all environment from .profile .login etc…) : sudo -i
  • Use of a  non-interactive shell, this means no password will be asked or if a password is required for the command, then exit with an error : sudo -n
  • Use and set a custom password prompt : sudo -p [%H %h %p ...]

 

1.3 visudo : The tool

When working on the sudoers file, you should use one tool (that is actually made for this specific usage!) visudo.

This great tool can help by checking the sudoers file syntax (syntax error, unused Aliases …). To do this you can either run a sudo -c, this would print something like :

visudo: Warning: unused Cmnd_Alias DELEGATING
visudo: Warning: unused Cmnd_Alias LOCATE
visudo: Warning: unused Cmnd_Alias STORAGE
/etc/sudoers: parsed OK

or the syntax will also be checked when exiting the sudoers file edition mode, in this case it will ask you what to do if any errors were found, this looks like :

>>> /etc/sudoers: syntax error near line 29 <<<
What now? 
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now? Q

This is why visudo is such a great tool for editing the sudoers file.

Note : Discover more of this tool with the classic man visudo.

 

 

2 sudoers : Basics

This one is the important part you need to understand in order to get basic control of the sudoers process in a Linux box.

Note : Some Sudoers file explanatory web sites uses EBNF grammars (see http://www.garshol.priv.no/download/text/bnf.html for a comprehensive explanation), although it can looks a bit hard to get into it, it is definitely useful once you are done with it. If you have some time to spare try it!

 

2.1 First step in

When you first open the sudoers file the only not-commented line is :

root ALL=(ALL)  ALL

Let’s use this to explain the basic of the sudoers syntax. We can see that there are 4 fields as :

  1. root : This is the user(s) to whom the following “items” applies
  2. ALL : This is the place(s) where the “sudo command” can be launched
  3. (ALL) : This is the part that specify which user(s) you may act as.
  4. ALL : This is the command(s) that may be ran using the sudo command

This can be literally said as : The user root (1) can execute ALL commands (4) as ALL users (3) from ALL places (2).

Note : The numbers in parenthesis are references to the above numbered list, to ease the understanding.

 

2.2 Basic syntax

The basic syntax of the sudoers file could be described as :

USER PLACES=(AS_USER) [NOPASSWD:] COMMAND
  • USER can be any : existing user(s) , user ID, User_Alias
  • PLACES can be any combinations of : hostname, domain_name, IP addresses, wildcards
  • (AS_USER) can be any :  existing user(s) , user ID, Runas_Alias
  • COMMAND can be any : existing command(s), COMMAND_ALIASES
  • [NOPASSWD:] is use to specify that the following commands can be run WITHOUT being prompted for a password ! (quite dangerous : use at your own risk)

Note : For more details about extended syntaxes and functionalities (ALIASES) see the Advanced Sudoers Syntax section below.

 

2.3 Basic examples

Here are some basic examples that may help you understand the basics of the sudoers file.

Note : It is usually more convenient and powerful to use advanced features (described in the Advanced Sudoers Syntax section below)

  1. Allow the user pier to run ALL commands from anywhere as root:
    pier   ALL=(ALL)       ALL
  2. Same as above but without any password prompt (!)
    pier   ALL=(ALL)      NOPASSWD: ALL
  3. Allow the user paul to run yum, mount and ifconfig commands from anywhere as root:
    paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig
  4. You may also specify some commands to be ran with a password and some “password-free” on one line, in the below example we allow paul to run only the partedcommand without any password prompt :
    paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig, NOPASSWD: /sbin/parted

 

 

3 sudoers : Advanced

This is where you will learn the best of the sudoers file, you will find here some extended possibilities of this file.

3.1 Aliases

After what we have seen in the the Basic syntax section above, let us have a deeper look to what this file has to offer to a sysadmin.

In the following syntax :

USER PLACES=(AS) COMMAND

We may use some Aliases to gain more control and flexibility, the possibles ALIASES are :

  • User_Alias
  • Cmnd_Alias
  • Host_Alias
  • Runas_Alias

 Note : ALIASES must be a combination of UPPERCASE letter and UNDERSCORES starting with an UPPERCASE letter.

 

3.1.1 Generalities about Aliases

You may find interesting to know that there are special characters available from sudoers syntax :

– “!” allow you to negate the following item, as in this example this means the users that are in USERS group but not in WEBMASTERS group :

User_Alias LIMITED_USERS = USERS, !WEBMASTERS

– “*” The wildcard may be used as in shell expansion (not like in REGEXP !), check the man sudoers for detailed information about its use.

 

3.1.2 User_Alias

A User_Alias is a kind of custom group that is only used within this sudoers file. As stated in the sudoers file itself : These aren’t often necessary, as you can use regular groups.

  • Sudoers groups
    User_Alias USERS = tom, dick, harry
  • System groups
    When using “system group” (group that belong to the OS) you should use them preceded by a percent sign (%) :

    User_Alias ADMINS = %admin
  • Network group
    When using a “network group” use a plus sign instead (+) of the percent, as :

    User_Alias NET_USERS = jim, john, dick +netgroup
  • Exclusion
    It is also possible to exclude a given ALIAS from another ALIAS, as in the following example, the LIMITED_USERS groups will contains any users that are in the USERS alias BUT NOT in ADMINS OR in NET_USERS:

    User_Alias LIMITED_USERS = NET_USERS, !WEBMASTERS, !ADMINS

Note : You can still specify your own User_Alias if you feel the need to, as :

User_Alias ALIAS = username1, username2

Where :

  • User_Alias is a keyword
  • ALIAS is the name of your User_Alias (the one you will use later in the sudoers file)
  • username are the user’s name, uid (prefixed by a #), other Aliases you want to add to the User_Alias ALIAS. Multiple usernames are to be comma separated.

 

3.1.3 Cmnd_Alias

Cmnd_Alias is a group of (usually) related commands. You can find the most common Cmnd_Alias within the sudoers file itself, sorted by domains (networking, software installation …)
Note : You can also specify your own Cmnd_Alias as :

Cmnd_Alias ALIAS = /path/to/command1, /path/to/command2, /path/to/command3

Where :

  • Cmnd_Alias is a keyword
  • ALIAS is the name of your Cmnd_Alias (the one you will use later in the sudoers file)
  • /path/to/command is(are) the path(s) to the command(s) you want to add to the Cmnd_Alias ALIAS. Multiple commands are to be comma separated.

 

Examples :

Cmnd_Alias ALIAS1 = /path/to/command1, /path/to/command2, /path/to/*.bash
Cmnd_Alias ALIAS2 = /path/to/command1, ALIAS1

 

3.1.4 Host_Alias

A Host_Alias is just like any other alias : it is used to group multiple hosts within a single object. Valid hosts are : host names, IP addresses, network numbers, netgroups (prefixed with ‘+’) and other aliases.

Examples :

Host_Alias WEB_HOST = www, 201.55.10.231/16, *.cavepopo.free.fr

 

3.1.5 Runas_Alias

Runas_Aliases may be used to put different groups with different privileges together. As for User_Alias it may contains : username, system group (prefixed with a %), netgroup (prefixed with a +) and even uid (prefixed with a #).

Note : group are match as string : group with same gid but different names are seen as different object here.

 

 

3.2 Advanced examples

Here are some advanced examples that may help you in a “sysadmin” context.

We may want to create our own aliases prior to create a useful and secure sudoers file, the following ALIASES are for the examples purposes but may also be useful in a “real life” context.

  • Custom ALIASES
    Cmnd_Alias SIMULATOR_COMMANDS = /usr/bin/command1, /usr/bin/command2
    User_Alias SIMULATOR_USER = pdurand, pdupond, jpdupont

Examples :

  1. Allow all users from system group SIMULATOR_USER to run commands from SIMULATOR_COMMANDS from the 192.168.56.88 as peter:
    SIMULATOR_USER   192.168.56.88 = (peter)       SIMULATOR_COMMANDS
  2. Allow the user paul to run yum, mount and ifconfig commands from anywhere as root:
    paul ALL=(ALL) /usr/bin/yum, /sbin/mount, /sbin/ifconfig

Resources

5 thoughts on “sudo command & sudoers file : Concepts and Practical examples

  1. Pingback: sudo | Site Title

  2. Andres Ferreo

    I’ll like to add an netgroup in sudoers instead a group. That is possible? How should I do this setup

    Thanks.

    1. Pier Post author

      In order to use a netgroup in the sudoers file, you just need to explicitly define it as a netgroup by using the “+” sign (instead of a “%” sign that would be used for a system group).

      You will need to include this netgroup inside a User_Alias (you may want to create a new User_Alias for this purpose)

      Please check the “3.1.2 User_Alias” section for more infos, and feel free to ask for more detailed explanation.

      Hope this helps.

      Pier.

  3. Matthew

    Great info, just diving into the world of this, and was trying to figure out how to limit a login to run a cache clearing command

    user ALL=NOPASSWD: rm -rf /usr/nginx/cache/*

    but i got a syntax error

    1. Pier Post author

      Hi,

      Looks like you forgot the following part of the command specs :
      3. (ALL) : This is the part that specify which user(s) you may act as.

      Check the 2.1 Section of the current page, you may want to have something like :
      user ALL=(ALL) NOPASSWD: /sbin/rm -rf /usr/nginx/cache/*

      Always use the full path for any given command : This will prevent you from using a bad aliased command.

Leave a Reply to Matthew Cancel reply

Your email address will not be published. Required fields are marked *

This site supports SyntaxHighlighter via WP SyntaxHighlighter. It can highlight your code.
How to highlight your code: Paste your code in the comment form, select it and then click the language link button below. This will wrap your code in a <pre> tag and format it when submitted.