Originally Published: Thursday, 29 June 2000 Author: Kapil Sharma
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Delegating Limited Superuser Access with Sudo

In this article, Kapil Sharma explains how a system administrator can share the root authority by using sudo to allow selected users to execute specified commands as root.

As your network grows, so will your range of responsibilities. At some stage, a system administrator may want to delegate limited responsibilities to other users. Sudo is a special package for this purpose. Instead of giving your root password to other users or changing numerous programs as set uid root (to run as the root user), you can use sudo (which stands for "superuser do") to allow them to run certain commands as the super user (or as another user). Sudo allows you to strictly limit which users can invoke it and what command they can execute.

All the settings for sudo have to be specified in the file /etc/sudoers. Users enter sudo mode by issuing this command:

$sudo [command]

Sudo then demands a password and it checks the configuration file (/etc/sudoers) to make sure you have "sudo" permission to run that command on that particular machine. If the user provides the correct password and has access to execute that command, then the command will be executed. Otherwise, sudo logs the access attempt. Once you are authenticated by sudo, you can use execute multiple commands without being prompted for your password again. This "ticket" will expire five minutes after the last time you use the sudo command.

Features of Sudo

Some of the features of sudo include:

Structure of /etc/sudoers

/etc/sudoers is structured in sections:

Sudoers is a security-oriented file, much like /etc/passwd. You should always use the tool "visudo" which comes along with sudo distribution. Visudo closely resembles vipw. Its purpose is to provide you with safe, clean means of editing /etc/sudoers. Visudo locks /etc/sudoers while editing and scans for syntax errors and will not allow you to commit errors.

Sample /etc/sudoers File

# Sample /etc/sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # All the command paths listed are related to Redhat Linux ## # User alias specification ## User_Alias FULLTIMERS = [ comma-delimited list of users ] User_Alias PARTTIMERS = [ comma-delimited list of users ] ## # Runas alias specification ## Runas_Alias OP = root, operator ## # Host alias specification ## Host_Alias CUNETS = [ comma-delimited list of host IPs ] Host_Alias CSNETS = [ comma-delimited list of host IPs ] ## # Cmnd alias specification ## Cmnd_Alias KILL = /usr/bin/killall Cmnd_Alias SHUTDOWN = /sbin/shutdown Cmnd_Alias HALT = /sbin/halt Cmnd_Alias REBOOT = /sbin/reboot Cmnd_Alias SHELLS = /bin/sh, /bin/csh Cmnd_Alias SU = /bin/su Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn ## # User specification ## # root and users in group wheel can run anything on any machine as any user root ALL = (ALL) ALL %wheel ALL = (ALL) ALL # full time sysadmins can run anything on any machine without a password FULLTIMERS ALL = NOPASSWD: ALL # kapil may run all the commands under VIPW on machines in CSNETS kapil CSNETS = VIPW # jerry may run any command on any host in CUNETS Jerry CUNETS = ALL

In A Nutshell

"Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell."

More Information

Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years. He runs a Web site at http://www.linux4biz.net.