Separation of user privileges is one of the main features in Linux operating systems. Normal users operate in limited privilege sessions to limit the scope of their influence on the entire system. One special user exists on Linux that we know already is root, which has super-user privileges. This account doesn't have any restrictions that are present to normal users. Users can execute commands with super-user or root privileges in a number of different ways.
The sudo is modified or implemented using the /etc/sudoers file, and visudo is the command that enables us to edit the file.
Note
Note: This file should not be edited using a normal text editor to avoid potential race conditions in updating the file with other processes. Instead, the visudo command should be used.
The visudo command opens a text editor normally, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking sudo operations.
By default, visudo opens the /etc/sudoers file in vi editor, but we can configure it to use the nano text editor instead. For that, we have to make sure nano is already installed or we can install nano
using:
Now, we can change it to use nano by editing the ~/.bashrc file:
Then, source the file using:
Now, we can use visudo with nano to edit the /etc/sudoers file. So, let's open the /etc/sudoers file using visudo and learn a few things.
We can use different kinds of aliases for different sets of commands, software, services, users, groups, and so on. For example:
We can use these aliases to assign a set of command execution rights to a user or a group. For example, if we want to assign the NETWORKING set of commands to the group netadmin we will define:
Otherwise, if we want to allow the wheel group users to run all the commands, we will do the following:
If we want a specific user, john, to get access to all commands, we will do the following:
We can create different groups of users, with overlapping membership:
Group names must start with a capital letter. We can then allow members of GROUPTWO to update the yum database and all the commands assigned to the preceding software by creating a rule like this:
If we do not specify a user/group to run, sudo defaults to the root user.
We can allow members of GROUPTHREE to shut down and reboot the machine by creating a command alias and using that in a rule for GROUPTHREE:
We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create Runas aliases, which can replace the portion of the rule that specifies to the user to execute the command as:
This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later, rules will override previous rules when there is a conflict between the two.
There are a number of ways that you can achieve more control over how sudo handles a command. Here are some examples:
The updatedb command associated with the mlocate package is relatively harmless. If we want to allow users to execute it with root privileges without having to type a password, we can make a rule like this:
NOPASSWD is a tag that means no password will be requested. It has a companion command called PASSWD, which is the default behavior. A tag is relevant for the rest of the rule unless overruled by its twin tag later down the line.
For instance, we can have a line like this:
In this case, a user can run the updatedb command without a password as the root user, but entering the root password will be required for running the kill command. Another helpful tag is NOEXEC, which can be used to prevent some dangerous behavior in certain programs.
For example, some programs, such as less, can spawn other commands by typing this from within their interface:
This basically executes any command the user gives it with the same permissions that less is running under, which can be quite dangerous.
To restrict this, we could use a line like this:
You should now have clear understanding of what sudo is and how we modify and provide access rights using visudo. There are many more things left here. You can check the default /etc/sudoers file, which has a good number of examples, using the visudo command, or you can read the sudoers manual as well.
One point to remember is that root privileges are not given to regular users often. It is important for us to understand what these commands do when you execute with root privileges. Do not take the responsibility lightly. Learn the best way to use these tools for your use case, and lock down any functionality that is not needed.