home   about us   solutions   support   writing   link land   discussion forum   feedback   contact us
Delegating limited superuser access with sudo

As your network grows, so will your range of responsibilities. At some stage an system administrator may want to delegate limited responsibilities to other users. Sudo is a special package for this purpose. Instead of giving your root password to other users or changing numerous programs as set uid root (to run as root), you can use sudo (which stands for "superuser do") to allow them to run certain commands as the super user (or as another user).Sudo allows you to strictly limit which users can invoke it and what command they can execute.

All the setting for sudo has to be specified in "/etc/sudoers". Users enter sudo mode by issuing
this command:
$sudo [command]
sudo then demands a password and then it checks the configuration file (/etc/sudoers) to make sure you have "sudo" permission to run that command on that particular machine. If the user provides the correct password and has access to execute that command then the command will be executed. Otherwise, sudo logs the access attempt. Once you are authenticated by sudo then you can use execute multiple commands without being prompted for your password again. This "ticket" will expire five minutes after the last time you use the sudo command.

Features of sudo

  • The ability to restrict what commands a user may run on a per-host basis.
  • Logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, sudo can log all commands to a central host (as well as on the local host).
  • Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this time-out is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard.
  • Sudo's configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis.
Structure of /etc/sudoers
/etc/sudoers is structured in sections:
  • Commands that sudo users can run.
  • Host aliases including hosts, netgroups, IP addresses, and networks (if any).
  • User aliases (if any).
  • User specifications, including host types, host IPs, the authorized users list, and what user he runs as (typically root).
Sudoers is a security oriented file like /etc/passwd. You should always use the tool "visudo" which comes along with sudo distribution. visudo closely resembles vipw. Its purpose is to provide you with safe, clean means of editing "/etc/sudoers". "visudo" locks "/etc/sudoers" while editing and scans for syntax errors and will not allow you to commit errors.

Sample "/etc/sudoers" file

#****************************
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
# All the command paths listed are related to  Redhat Linux

##
# User alias specification
##
User_Alias      FULLTIMERS = [ comma-delimited list of users ]
User_Alias      PARTTIMERS = [ comma-delimited list of users ]

##
# Runas alias specification
##
Runas_Alias     OP = root, operator

##
# Host alias specification
##
Host_Alias      CUNETS = [ comma-delimited list of host IPs ]
Host_Alias      CSNETS = [ comma-delimited list of host IPs ]

##
# Cmnd alias specification
##
Cmnd_Alias      KILL = /usr/bin/killall
Cmnd_Alias      SHUTDOWN = /sbin/shutdown
Cmnd_Alias      HALT = /sbin/halt
Cmnd_Alias      REBOOT = /sbin/reboot
Cmnd_Alias      SHELLS = /bin/sh, /bin/csh
Cmnd_Alias      SU = /bin/su
Cmnd_Alias      VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
                       /usr/bin/chfn

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root            ALL = (ALL) ALL
%wheel          ALL = (ALL) ALL

# full time sysadmins can run anything on any machine without a password
FULLTIMERS      ALL = NOPASSWD: ALL

# kapil may run all the commands under VIPW on machines in CSNETS
kapil           CSNETS = VIPW

# jerry may run any command on any host in CUNETS
Jerry           CUNETS = ALL
#*************************** 

In a nutshell
"Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell."

More Info:

This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

 

Written by: Kapil Sharma
Email:
Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux/Unix systems and Internet Security for more than 4 years. He is maintaining a web site http://www.linux4biz.net for providing free as well as commercial support for web, Linux and Unix solutions.]

[Back]

Web site maintained & supported by Copyright © Linux4biz.net, 2002-2003