Sudoers

Differences between revisions 1 and 8 (spanning 7 versions)
Revision 1 as of 2007-02-11 10:47:07
Size: 4791
Editor: 88-110-18-58
Comment:
Revision 8 as of 2008-08-06 16:59:47
Size: 52
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= The Sudoers File =
The sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).

== Editing the sudoers file ==
Because sudo is such a powerful program you must take care not to put anything formatted incorrectly in the file. To prevent any incorrect formatting getting into the file you must edit it using the command {{{visudo}}} which must be run as root or by using sudo ({{{sudo visudo}}}). Note that the default editor for sudo in Ubuntu is nano (and not vi or vim).

The sudoers file is read in one pass so when multiple entries match for a user, they are applied in order. Where there are conflicting values, the last match is used (which is not necessarily the most specific match). Also you must set an alias before you can use it. Normally you will set the aliases at the beginning of the file and then set the user specifications after all the aliases are laid out.

You an insert comments by prefixing them with a # but this is also used to specify a uid in certain parts of the file when it is followed by a number.

== Aliases ==
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Each alias definition is of the form:
 Alias_Type NAME = item1, item2, ...
Where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias or Cmnd_Alias. A name is a string of uppercase letters, numbers and underscores starting with an uppercase letter. You can put several aliases of the same type on one line by separating them with colons (:) as so:
 Alias_Type NAME1 = item1, item2 : NAME2 = item3

You can include other aliases in an alias specification provided they would normally fit there. For example you can use a user alias wherever you would normally expect to see a list of users (for example in a user or runas alias).

=== User Aliases ===
User aliases are used to specify groups of users. You can specify usernames, system groups (prefixed by a %) and netgroups (prefixed by a +) as follows:
{{{
 # Everybody in the system group "admin" is covered by the alias ADMINS
 User_Alias ADMINS = %admin
 # The users "tom", "dick", and "harry" are covered by the USER alias
 User_Alias USERS = tom, dick, harry
 # The users "tom" and "mary" are in the WEBMASTERS alias
 User_Alias WEBMASTERS = tom, mary
 # You can also use ! to exclude users from an alias
 # This matches anybody in the USER alias who isn't in the WEBMASTERS or ADMINS alias
 User_Alias LIMITED_USERS = USERS, !WEBMASTERS, !ADMINS
}}}

=== Runas Aliases ===
Runas Aliases are almost the same as user aliases but you are allowed to specify users by uid's. This is helpful as usernames and groups are matched as strings so two users with the same uid but different usernames will not be matched by entering a single username but can be matched with a uid. For example:
{{{
 # UID 0 is normally used for root
 Runas_Alias ROOT = #0
 # The hash (#) sign on the previous line is to indicate a uid and not a comment.
}}}

=== Host Aliases ===
A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +). If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching.
{{{
 # This is all the servers
 Host_Alias SERVERS = 192.168.0.1, 192.168.0.2, server1
 # This is the whole network
 Host_Alias NETWORK = 192.168.0.0/255.255.255.0
 # And this is every machine in the network that is not a server
 Host_Alias WORKSTATIONS = NETWORK, !SERVER
 # This could have been done in one step with
 # Host_Alias WORKSTATIONS = 192.168.0.0/255.255.255.0, !SERVERS
 # but I think this method is clearer.
}}}

=== Command Aliases ===

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.

The special command '"sudoedit"' allows users to run sudo with the {{{-e}}} flag or as the command {{{sudoedit}}}. If you include command line arguments in a command in an alias these must exactly match what the user enters on the command line. If you include any of the following they will need to be escaped with a backslash (/): ",", "/", ":", "=".

Examples:
{{{
 # All the shutdown commands
 Cmnd_Alias = SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
 # Printing commands
 Cmnd_Alias = PRINTING = /usr/sbin/lpc, /usr/sbin/lprm
 # Admin commands
 Cmnd_Alias = /usr/sbin/passwd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo
}}}
#REFRESH 0 https://help.ubuntu.com/community/Sudoers

Sudoers (last edited 2008-08-06 16:59:47 by localhost)