Granting Limited Rootly Powers with sudo

If you would like to delegate some system administration chores to other users, or set up an extra layer of safety for your own root chores—but you want to do it in a way that uses only limited rootly powers, and does not give away root’s password, use sudo. sudo grants limited root powers to specific users for specific tasks, logs activity, and does not give away root’s password.

Let’s say that you have a user, jhaugh, upon whom you wish to bestow full rootly powers. Because sudo users use their own passwords, root’s password is protected. Edit /etc/sudoers with visudo—it will open in your default text editor:

# visudo
# sudoers file.
#
# This file MUST be edited with the ‘visudo’
# command as root.
# See the man page for details on how to write
# a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification

root ALL=(ALL) ALL

First, set up a host alias:

Host_Alias LOCALHOST= localhost

Under the “User privilege specification” line, you can add individual users:

jhaugh ALL=(ALL) ALL

This gives jhaugh root powers for everything on the system and on all connected machines. Now say you have another user, tgwynne, who needs root privileges only on the local machine. Add the following line for this user:

tgwynne LOCALHOST = ALL

Adding to your delegation of minions is msmith, who is allowed only to shut down the local machine:

msmith LOCALHOST = /sbin/shutdown, /sbin/halt

This grants groups of ordinary users shutdown privileges on their own machines:

# Host alias specification
Host_Alias LOCALHOST= localhost
# User alias specification
User_Alias USERS = tgwynne, msmith, jhaugh, \
abyron, jwinters

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown, /usr/sbin/halt, \
/usr/sbin/reboot, /usr/sbin/poweroff

# User privilege specification
USERS LOCALHOST = SHUTDOWN

To execute a sudo command, users do this:

$ sudo /usr/sbin/halt

They will be prompted for their passwords, then the command will execute. Users can check which commands they are authorized for with the following command:

$ sudo -l

User jhaugh may run the following commands on this host:
(ALL) ALL

sudo logs all errors to the syslog, and tattles to root:

$ sudo /usr/sbin/halt
carla is not in the sudoers file. This incident will be reported.

Groups of servers can be defined, and users can be given privileges to the groups:

# Host alias specification
Host_Alias FILESERVERS = host1, host2, host3
# User alias specification
User_Alias FILESERVADMINS = jhaugh, abyron, jwinters
# Cmnd alias specification
Cmnd_Alias FILEUTILS = /bin/chgrp, /bin/chmod, \
/bin/chown, /bin/cp, /bin/dd, /bin/df, \
/bin/dir, /bin/dircolors, /bin/du, /bin/install, \
/bin/ln, /bin/ls, /bin/mkdir, /bin/mkfifo, \
/bin/mknod,bin/mv, /bin/rm, /bin/rmdir, \
/bin/shred, /bin/touch, /bin/vdir sync
# User privilege specification
FILESERVADMIN FILESERVERS = FILEUTILS

sudo can also be used to let users execute scripts, such as backup scripts. Be very careful with scripts, or any command that gives shell access or invokes a text editor, because these may allow users to escalate their privileges. You can try to restrict sudo users to RJOE, which is a restricted editor that cannot invoke a shell, but it’s better to be careful with how you delegate rootly chores in the first place.

Tags:

Leave a Reply

You must be logged in to post a comment.