Learn how to secure your system and limit user access using sudo configuration. It helps to restrict superuser privileges of the normal user for a specific command
Many times there is a requirement where a normal user on system needs superuser privileges to run some commands. There are options to this situation which are like sharing the password of the superuser account so the user can su to that user or declaring UID 0 to the user making him superuser himself. Both options open pandora box to user granting him limitless power on the system. This is dangerous and not at all a good practice to compromise the whole system for a few commands. The alternative is sudo !
What is sudo ?
Sudo stands for ‘superuser do’. Sudo grants superuser (or other user’s) privileges to another user for specific/all commands. Normally sudo used to grant superuser privileges to other users hence ‘superuser do’ stand perfect for it. The beauty of sudo is you can define user access command wise. So that user is restricted to only defined commands and your system is secured from the user doing stuff with root privileges without your knowledge.
Sudo configuration :
Let’s see sudo configuration step by step. Here we will assign user usr5 sudo
permission to execute apache bounce commands.
First of all, you need to check if sudo package is installed on your system or not.
# rpm -qa |grep sudo (RHEL, CentOS, Fedora)
sudo-1.6.7p5-30.1.5
# dpkg -s sudo (Debian, Ubuntu)
Package: sudo
Status: install ok installed
Priority: optional
---- output clipped ----
If not installed, then install it using yum or apt depending on your Linux distro.
Once installed, you will be able to edit /etc/sudoers
file which is sudo configuration file. This is a plain text file that can be opened using vi editor. But its recommended to edit it using visudo
command. visudo
command opens /etc/sudoers
file safely and maintains the integrity of the file. It’s the same way vipw command safely edits /etc/passwd file.
# cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
See above sample sudoers file.
We will see each section of this file one by one:
1: Host alias specification –
Host alias is a list of one or more hostnames, IP addresses, network numbers, or netgroups. This alias is defined so that group of hosts can be defined in configuration with a single name.
Host_Alias SERVERS = 10.10.5.1, 10.10.5.2, testsrv1, testsrv3
Host_Alias NETWORK = 192.168.0.0/255.255.255.0
In the above example, we are defining SERVERS
alias for 4 machines declared using IP or hostname. So any sudo settings defined for SERVERS
will be applicable for all 4 machines. This saves the hassle to write all 4 machine details in each and every time in settings, only writing SERVERS
will serve the purpose. Also, alias NETWORK
for the range defined.
2: User alias specification –
User alias is list of one or more users, groups, uids etc.
User_Alias ADMINS = %admin
User_Alias USERS = user4, oracle65, testuser, #4523
In the above example, all users under system group admin are covered under alias ADMINS
. Also we defined USERS
alias for 4 machine users. #4523 indicates user with uid 4523.
3: Cmnd alias specification –
Its a list of commandnames, files, or directories. Commandnames includes is a complete command with wildcards support.
Cmnd_Alias ADMIN_CMDS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
Cmnd_Alias APACHE_CMDS = /etc/init.d/apache2
In the above examples we defined ADMIN_CMDS
and APACHE_CMDS
aliases for a list of commands listed in front of them.
4: User privilege section –
Here actual sudo setting for a user defined. Line root ALL=(ALL) ALL
indicates, account root can execute any commands from any hosts as any user. If we want to define usr5 to execute apache commands then the line will be –
usr5 ALL=(ALL) NOPASSWD: APACHE_CMDS
Here usr5 is allowed to run commands defined under alias APACHE_CMDS
without password from all hosts. If NOPASSWD
is not mentioned, the user will be prompted for his own password again before executing a command like below (RHEL).
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for <user>:
5: Run_as alias –
Here you define a list of users. This alias is used to run a command as a different user.
Examples :
Here are few examples to understand how config file works :
ADMINS ALL= /sbin/poweroff
Allows any ADMINS
users to run poweroff command from any host.
%users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
Allows users under group ‘users’ to mount and unmount /cdrom
from any host.
testuser SERVERS=(root) ADMIN_CMDS
Allows user ‘testuser
‘ to run commands defined under ADMIN_CMDS
from hosts defined user SERVERS
as user root.
testuser ALL=(ALL) NOPASSWD: /usr/bin/su -
Allows user ‘testuser
‘ to run command su -
without any password. This is an example of how to add commands with arguments in sudo configuration.
Defaults targetpw
Allow users to run commands with their own password. sudo
will asks password of the same user before executing su
. You need to un-comment the above parameter in sudoers
file.