Sudo in Linux
Sudoers file is a file which plays a very important role in
managing user and group access which can be performed on system.
You can assign privileges to users and groups as per
requirement. Root is super user and have all access. You can
also provide root level access to normal user.
Root user has all access so it will be risky if we keep root
access open for all. There is one option we used for root
access to normal user using "su -". But again this command
will provide complete access. Now here comes, "sudo" which
can provide privileges as per requirement.
The file "/etc/sudoers" is resposible for all things in sudo.
The users having sudo permissions known as sudo users.
You can use "visudo" command or "vi" editor for editing sudoers
file for playing with sudo access. Once you edited the file then
you can check syntax using below command:
# visudo -c
/etc/sudoers: parsed OKSyntax error will be mentioned if there be any.
Sudo Privileges on User and Group:
Below lines shows sudo privileges for "root" user and "wheel"
group.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
or
root ALL=(ALL:ALL) ALL
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
%unixadmin ALL=(ALL) ALLOn above sudo configurations for root:
root is the username,
ALL means having access on all servers,
ALL means for all users or (all users and groups),
ALL means for all commands,
Now if we combine all - root user can run all commands on all
hosts as any user from any group.
If we say the same thing for second line for wheel:
User of wheel group can run all commands on all hosts as any
user from any group.
% indicates for group name. You can also defined more groups
like "unixadmin" defined.
There is another line in sudoers file mentioned below which
are used for keeping sudo templates for users.
includedir /etc/sudoers.dLet's configure sudo for normal users "apache1 and apache2" who
are working with http can start/stop/restart httpd services and
can edit its configuration file.
%apadmin ALL = (root) /usr/bin/systemctl status httpd, /usr/bin/systemctl stop httpd, /usr/bin/systemctl start httpd, /usr/bin/systemctl restart httpd, /usr/bin/vi /etc/httpd/conf/httpd.confNow try to check commands if you can run via sudo:
$ sudo systemctl start httpd
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for apache2:
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2023-04-01 15:33:41 IST; 5s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 8381 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─8381 /usr/sbin/httpd -DFOREGROUND
├─8382 /usr/sbin/httpd -DFOREGROUND
├─8383 /usr/sbin/httpd -DFOREGROUND
├─8384 /usr/sbin/httpd -DFOREGROUND
├─8385 /usr/sbin/httpd -DFOREGROUND
└─8386 /usr/sbin/httpd -DFOREGROUND
$ Aliases:
Sometimes, we need to provide multiple permissions to
multiple users or on hosts. Either we need to add all details
or we can go with aliases. These are of four types:
User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Below is
the syntax of aliases:
Alias_Type NAME = item, item1, item2, ..
Here Alias_Type is one of thr aliases. NAME is an uppercase
name you decide for your aliase. And here items are your
inputs to aliases.
User aliases allow us to group multiple users within a single
alias name. It is very useful when need same level access to
multiple users.
Host aliases allow us to group multiple hosts within a single
alias name. It is very useful when need same level access to
multiple hosts.
Command aliases allow us to group multiple commands within a
single alias name. It is very useful when we have a large
number of commands that require for multiple users or hosts.
Let's include multiple users in alias first:
User_Alias NIXAD = nix1, nix2, nix3, nix4Now below line will include group named "nadmin". All users in
group nadmin will come under NADMINS alias:
User_Alias NADMINS = %nadminSometimes, you don't want some users to not have the same alias
and for that case you can also exclude those users. Like nix1,
nix2, nix3 and nix4 have ADMINS alias but don't want user
"nix5" to have ADMINS privileges.
User_Alias ADMINS = ADMINS, !nix5You have three aliases above and all users have desired
permissions.
Let's move to command aliases.
We can group multiple commands to make an alias and then we can
use other alias type to perform desired actions.
## Disk Management commands
Cmnd_Alias CMDS_DISK = /usr/sbin/fdisk, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/lvdisplay
## Some Admin commands
Cmnd_Alias CMDS_ADMINS = /usr/bin/passwd, /usr/sbin/userdel, /usr/sbin/useradd, /usr/sbin/usermod
## Reboot and Shutdown
Cmnd_Alias CMDS_REBOOT = /usr/sbin/poweroff, /usr/sbin/rebootThere are host alias as well. You can add hostname or IP
address.
Host_Alias NIXSERVERS = test-vm*In Runas_Alias, you need to defined the UID's of the user id.
Now we can add some enteries in sudoers file and see how these
aliases works.
We have two users nix1 and nix2. Both users want to run few
disk commands. So we will create a user_alias and then assign
those commands.
User_Alias NIXAD = nix1, nix2
NIXAD ALL = (ALL) /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/lvdisplay
NIXAD ALL = (ALL) NOPASSWD:/usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/lvdisplaySimilarly you can perform with different aliases.
Few important notes about sudoers file or with sudo command:
# sudo -V (It will show you sudo version)
# sudo -l (print the commands allowed for user)
# sudo -k (It will invalidate the timestamp of user to sudo command)
# sudo -u nix1 bash (It will give you bash session of user nix1)
# sudo -u nix1 ls /home/nix1 (list the content of /home/nix1 as user nix1)We want to shutdown/reboot our system without asking for
password. I'll create a Cmnd_Alias and then add it to the user
you want to perform.
Cmnd_Alias CMDS_POWEROFF = /usr/sbin/poweroff, /usr/sbin/reboot
nix2 ALL = (ALL) NOPASSWD: CMDS_POWEROFF