Originally Published: Thursday, 29 June 2000 Author: Kapil Sharma
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

Delegating Limited Superuser Access with Sudo

In this article, Kapil Sharma explains how a system administrator can share the root authority by using sudo to allow selected users to execute specified commands as root.

   Page 1 of 1  

As your network grows, so will your range of responsibilities. At some stage, a system administrator may want to delegate limited responsibilities to other users. Sudo is a special package for this purpose. Instead of giving your root password to other users or changing numerous programs as set uid root (to run as the root user), you can use sudo (which stands for "superuser do") to allow them to run certain commands as the super user (or as another user). Sudo allows you to strictly limit which users can invoke it and what command they can execute.

All the settings for sudo have to be specified in the file /etc/sudoers. Users enter sudo mode by issuing this command:

$sudo [command]

Sudo then demands a password and it checks the configuration file (/etc/sudoers) to make sure you have "sudo" permission to run that command on that particular machine. If the user provides the correct password and has access to execute that command, then the command will be executed. Otherwise, sudo logs the access attempt. Once you are authenticated by sudo, you can use execute multiple commands without being prompted for your password again. This "ticket" will expire five minutes after the last time you use the sudo command.

Features of Sudo

Some of the features of sudo include:

  • Sudo has the ability to restrict what commands a user may run on a per-host basis.
  • Sudo can log each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, sudo can log all commands to a central host (as well as on the local host).
  • Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this time-out is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard.
  • Sudo's configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis.
Structure of /etc/sudoers

/etc/sudoers is structured in sections:

  • commands that sudo users can run;
  • host aliases including hosts, netgroups, IP addresses, and networks (if any);
  • user aliases (if any); and
  • user specifications, including host types, host IPs, the authorized users list, and what user he runs as (typically root).
Sudoers is a security-oriented file, much like /etc/passwd. You should always use the tool "visudo" which comes along with sudo distribution. Visudo closely resembles vipw. Its purpose is to provide you with safe, clean means of editing /etc/sudoers. Visudo locks /etc/sudoers while editing and scans for syntax errors and will not allow you to commit errors.

Sample /etc/sudoers File

# Sample /etc/sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # All the command paths listed are related to Redhat Linux ## # User alias specification ## User_Alias FULLTIMERS = [ comma-delimited list of users ] User_Alias PARTTIMERS = [ comma-delimited list of users ] ## # Runas alias specification ## Runas_Alias OP = root, operator ## # Host alias specification ## Host_Alias CUNETS = [ comma-delimited list of host IPs ] Host_Alias CSNETS = [ comma-delimited list of host IPs ] ## # Cmnd alias specification ## Cmnd_Alias KILL = /usr/bin/killall Cmnd_Alias SHUTDOWN = /sbin/shutdown Cmnd_Alias HALT = /sbin/halt Cmnd_Alias REBOOT = /sbin/reboot Cmnd_Alias SHELLS = /bin/sh, /bin/csh Cmnd_Alias SU = /bin/su Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn ## # User specification ## # root and users in group wheel can run anything on any machine as any user root ALL = (ALL) ALL %wheel ALL = (ALL) ALL # full time sysadmins can run anything on any machine without a password FULLTIMERS ALL = NOPASSWD: ALL # kapil may run all the commands under VIPW on machines in CSNETS kapil CSNETS = VIPW # jerry may run any command on any host in CUNETS Jerry CUNETS = ALL

In A Nutshell

"Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell."

More Information

Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years. He runs a Web site at http://www.linux4biz.net.

   Page 1 of 1