Understanding the sudo command
Sudo discourages the use of su. In fact, sudo makes the perfect replacement for su. What sudo does is give restrictive access to commands as other users. For instance, if you were a web administrator on a system and were responsible for maintaining the web site, you may have to restart the web server occasionally. Previously you may have had root access in order to do this. With sudo, the real root user can allow you to restart the web server, as root, without giving you the root password or general root access on the system.
Many distributions come with the sudo package, but in case they don’t, you can obtain a copy of sudo from http://www.courtesan.com/sudo.
To configure sudo, use the visudo command. It is a wrapper around your editor that does syntax checking on the main configuration file, /etc/sudoers. By default, it uses the vi editor to edit the file, but you can easily change this by changing the value of your shell’s EDITOR variable. From the command-line, execute:
# visudo
By default, you should have something like this in your sudoers file:
root ALL=(ALL) ALL
This tells sudo to allow root to execute all commands, as root, on all hosts. But of course, root can do all of this anyways. So let’s get more specific and assume that user “Joe” is a web master and must have access to configure the network and start/stop the web server. We could do this by putting in our file:
joe myhost.com = /sbin/ifconfig, /etc/rc.d/init.d/httpd
This allows the user Joe, on the machine myhost.com to execute /sbin/ifconfig and /etc/rc.d/init.d/httpd as root. To make use of this, Joe would execute the following to restart the web server:
# sudo /etc/rc.d/init.d/httpd restart
Joe will be asked for his password (not root’s!), and if he enters his password correctly, the command “/etc/rc.d/init.d/httpd restart” will be executed as root.
You can also execute commands as users other than root. For instance, if you wanted Joe to execute the command “somecommand” as the user “admin”, you could use:
joe myhost.com = (admin) /usr/bin/somecommand, (root) /sbin/ifconfig
This tells sudo that Joe can run /usr/bin/somecommand as the admin user, and /sbin/ifconfig as root. Since, by default, sudo tries to execute commands as root, Joe will have to use sudo a little differently to execute somecommand:
# sudo -u admin /usr/bin/somecommand
This tells sudo to use the admin user to run somecommand. To determine what commands you can run on a given host, you can use sudo with the “-l” parameter:
# sudo -l
Password:
User joe may run the following commands on this host:
(admin) /usr/bin/somecommand
(root) /sbin/ifconfig
You can configure sudo to not ask for passwords. This is done by using the NOPASSWD token like this:
joe myhost.com = NOPASSWD: /sbin/ifconfig, /etc/rc.d/init.d/httpd
This tells sudo to allow Joe to execute the commands /sbin/ifconfig and /etc/rc.d/init.d/httpd without having to enter his password.
You can also define aliases for commands. There are three types of aliases you can use: User, Command, and Host. Let’s look at each. To define a user alias you would place in your sudoers file something like this:
User_Alias WEBMASTERS = joe, bob
This would define both Joe and Bob in the WEBMASTERS group so you could define:
WEBMASTERS ALL = /etc/rc.d/init.d/httpd
This tells sudo that users Joe and Bob can execute /etc/rc.d/init.d/httpd on any host that uses this sudoers file.
A command alias may look like this:
Cmnd_Alias WEBTOOLS = /etc/rc.d/init.d/httpd, /sbin/ifconfig
Now you could change the previous WEBMASTERS definition to look like this:
WEBMASTERS ALL = WEBTOOLS
This tells sudo that all users in the alias WEBMASTERS (Joe and Bob), can run the programs defined by the WEBTOOLS command alias on any host.
Finally, you could define a Host alias as well:
Host_Alias WEBSITES = srv1.myhost.com, srv2.myhost.com, www.myhost.com
Then you can fine-grain your access even further by using:
WEBMASTERS WEBSITES = WEBTOOLS
This tells sudo to allow Joe and Bob access to the programs in the WEBTOOLS alias on the machines in the WEBSITES alias, which are srv1.myhost.com, srv2.myhost.com, and www.myhost.com.
More than you ever wanted to know about sudo configuration is available at http://www.courtesan.com/sudo/man/sudoers.html.
Enjoy!
Krnl