Sudoers
Separation of user privileges is one of the main features in Linux operating systems. Normal users operate in limited privilege sessions to limit the scope of their influence on the entire system. One special user exists on Linux that we know already is root, which has super-user privileges. This account doesn't have any restrictions that are present to normal users. Users can execute commands with super-user or root privileges in a number of different ways.
There are mainly three different ways to obtain root privileges on a system:
- Log in to the system as
root. - Log in to the system as any user and then use the
su -command. This will ask you for therootpassword and once authenticated, will give you the root shell session. We can disconnect this root shell using Ctrl + D or using the commandexit. Once exited, we will come back to our normal user shell. - Run commands with root privileges using
sudowithout spawning arootshell or logging in as root. Thissudocommand works as follows:sudo <command to execute>
Unlike su, sudo will request the password of the user calling the command, not the root password.
The sudo doesn't work by default and requires to be set up before it functions correctly.
In the following section, we will see how to configure sudo and modify the /etc/sudoers file so that it works the way we want it to.
visudo
The sudo is modified or implemented using the /etc/sudoers file, and visudo is the command that enables us to edit the file.
Note
Note: This file should not be edited using a normal text editor to avoid potential race conditions in updating the file with other processes. Instead, the visudo command should be used.
The visudo command opens a text editor normally, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking sudo operations.
By default, visudo opens the /etc/sudoers file in vi editor, but we can configure it to use the nano text editor instead. For that, we have to make sure nano is already installed or we can install nano
using:
yum install nano -y
Now, we can change it to use nano by editing the ~/.bashrc file:
export EDITOR=/usr/bin/nano
Then, source the file using:
. ~/.bashrc
Now, we can use visudo with nano to edit the /etc/sudoers file. So, let's open the /etc/sudoers file using visudo and learn a few things.
We can use different kinds of aliases for different sets of commands, software, services, users, groups, and so on. For example:
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
We can use these aliases to assign a set of command execution rights to a user or a group. For example, if we want to assign the NETWORKING set of commands to the group netadmin we will define:
%netadmin ALL = NETWORKING
Otherwise, if we want to allow the wheel group users to run all the commands, we will do the following:
%wheel ALL=(ALL) ALL
If we want a specific user, john, to get access to all commands, we will do the following:
john ALL=(ALL) ALL
We can create different groups of users, with overlapping membership:
User_Alias GROUPONE = abby, brent, carl User_Alias GROUPTWO = brent, doris, eric, User_Alias GROUPTHREE = doris, felicia, grant
Group names must start with a capital letter. We can then allow members of GROUPTWO to update the yum database and all the commands assigned to the preceding software by creating a rule like this:
GROUPTWO ALL = SOFTWARE
If we do not specify a user/group to run, sudo defaults to the root user.
We can allow members of GROUPTHREE to shut down and reboot the machine by creating a command alias and using that in a rule for GROUPTHREE:
Cmnd_Alias POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart GROUPTHREE ALL = POWER
We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create Runas aliases, which can replace the portion of the rule that specifies to the user to execute the command as:
Runas_Alias WEB = www-data, apache GROUPONE ALL = (WEB) ALL
This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later, rules will override previous rules when there is a conflict between the two.
There are a number of ways that you can achieve more control over how sudo handles a command. Here are some examples:
The updatedb command associated with the mlocate package is relatively harmless. If we want to allow users to execute it with root privileges without having to type a password, we can make a rule like this:
GROUPONE ALL = NOPASSWD: /usr/bin/updatedb
NOPASSWD is a tag that means no password will be requested. It has a companion command called PASSWD, which is the default behavior. A tag is relevant for the rest of the rule unless overruled by its twin tag later down the line.
For instance, we can have a line like this:
GROUPTWO ALL = NOPASSWD: /usr/bin/updatedb, PASSWD: /bin/kill
In this case, a user can run the updatedb command without a password as the root user, but entering the root password will be required for running the kill command. Another helpful tag is NOEXEC, which can be used to prevent some dangerous behavior in certain programs.
For example, some programs, such as less, can spawn other commands by typing this from within their interface:
!command_to_run
This basically executes any command the user gives it with the same permissions that less is running under, which can be quite dangerous.
To restrict this, we could use a line like this:
username ALL = NOEXEC: /usr/bin/less
You should now have clear understanding of what sudo is and how we modify and provide access rights using visudo. There are many more things left here. You can check the default /etc/sudoers file, which has a good number of examples, using the visudo command, or you can read the sudoers manual as well.
One point to remember is that root privileges are not given to regular users often. It is important for us to understand what these commands do when you execute with root privileges. Do not take the responsibility lightly. Learn the best way to use these tools for your use case, and lock down any functionality that is not needed.
