Skip to main content

Sudoers

 Here i will put helpful info regarding "sudoers" file.

User interaction

See which commands you may run (and as which user)         sudo -l

Check if you may run a specific command                              sudo -l /usr/bin/top

Run command as root                                                               sudo command

Run a command as another user                                              sudo -u user command

With privilege, see which commands another user may run   sudo -U user -l





Sudoers File Format

The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what).

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

 Aliases
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.

Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
'Host_Alias' Host_Alias (':' Host_Alias)* |
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* 

 

User aliases

Users and groups of users must be referenced by user and groups of users only.

Each "level" of User_Alias must include all of the "lower" (in terms of access, not necessarily numerically) levels of access for that group.

UNIX groups defined by LDAP must be used rather than listing individual users. Listing individual users is allowed for special system users only. A subgroup of users that needs to perform certaint role may be defined on rare ocasion.

Following rules apply to each User_Alias definition.

Alias name:

  • Must begin with a CAPITAL letter.
  • May contain CAPITAL letters, numbers, and underscores(_) in their name only.

Alias definition:

  • May be an user: john

  • May be a group (preceded by %): %superadmins

  • May be a User_Alias: ADMINS

  • May be a combination of any of the above, multiples are comma-space separated: ADMINS, %superadmins, bill, bob, john

  • May use negation with !: %superadmins, bill, bob, !ADMINS, !john 

 
Host aliases

Following rules apply to each Host_Alias definition.

Alias name:

Must begin with a CAPITAL letter.
May contain CAPITAL letters, numbers, and underscores(_) in their name only.

Alias definitions:

May be a machine name returned from the command hostname.
May be IP addresses or CIDR (will match any IP on any real interface on the machine except loopback): 10.24.0.5 or 10.24.0.0/30
May be a Host_Alias: SAO
May be a glob: dns*, ns?, host9[0-7]
May be a combination of any of the above, multiples are comma-space separated: SAO, server1, www9[0-7], samson, 10.24.0.0/30, 10.24.0.5
May use negation with !: SAO, server1, www9[0-7], !samson, !10.24.0.0/30, !10.24.0.5
 


Runas aliases

Following rules apply to each Runas_Alias definition.

Alias name:

  • Must begin with a CAPITAL letter.
  • May contain CAPITAL letters, numbers, and underscores(_) in their name only.

Alias definition:

  • Is another valid user on the system contained in parenthesis by default: (oracle)

  • May specify a group by being preceded by a colon: (:dba)

  • May be a combination of any of the above, multiples are comma-space separated: (oracle, postgres, mysql, :dba)
  • May use negation with !: (oracle, postgres, :dba, !mysql)

Command aliases

Each command should have its own Cmnd_Alias before being included in a Cmnd_Alias that is a list. This allows for not having to re-create similar Cmnd_Alias for very minor different needs.

Inherit/build-upon Cmnd_Alias when possible

Following rules apply to each Cmnd_Alias definition.

Alias name:

  • Must begin with a CAPITAL letter.
  • May contain CAPITAL letters, numbers, and underscores(_) in their name only.

Alias definitions:

  • Must use full path definition: /usr/bin/top

  • May be a Cmnd_Alias: TOP
  • May be a glob. Globs do not match "/", "/usr/bin/*" will not match "/usr/bin/X11/*". These must be specified separately.
  • May be a combination of any of the above, multiples are comma-space separated: (TOP, /bin/cat, /usr/bin/*)

  • Should not use negation!

 

Real world example

Users "user1" and "user2" needs to run "/usr/sbin/acdc" command, with arguments "start", "stop" and "running", as the user "root" on the hostnames matching "dns*".

This request translates to sudo rule:

user1,user2 dnsdelta,dnsnovember,dnssierra = (root) /usr/sbin/acdc start, /usr/sbin/acdc stop, /usr/sbin/acdc running
user1,user2 dnsdelta,dnsnovember,dnssierra = (root) /usr/sbin/acdc (start)? (stop)? (running)?
 

If users requesting access are all in the system group "dnsadmins", we could write the above rule shorter:

%dnsadmins dns* = (root) /usr/sbin/acdc start, /usr/sbin/acdc stop, /usr/sbin/acdc running

If the group "dnsadmins" doesn't exist, we can also define an alias within sudo:

User_Alias DNSADMINS = user1, user2
DNSADMINS dns* = (root) /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running

Perhaps our DNS servers aren't as nicely named as dns*, a host alias may be used:

Host_Alias DNSSERVERS = dns*, strangehostnamedns
DNSADMINS DNSSERVERS = (root) /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running

We can also alias commands:

Cmnd_Alias NSDC_STOPSTART = /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running
DNSADMINS DNSSERVERS = (root) NSDC_STOPSTART

Which takes us to the final ruleset:

# Aliases
User_Alias DNSADMINS = user1, user2
Host_Alias DNSSERVERS = dns*, strangehostnamedns
Cmnd_Alias NSDC_STOPSTART = /usr/sbin/acdc (start)? (stop)? (running)?
# Commands
# USERS HOSTS = (RUNAS) COMMANDS
DNSADMINS DNSSERVERS = (root) NSDC_STOPSTART
 
/usr/sbin/acdc (start)? (stop)? (running)? before ? means can be exist or not

Comments

  1. Thank you for sharing useful information with us. please keep sharing like this. And if you are searching a unique and Top University in India, Colleges discovery platform, which connects students or working professionals with Universities/colleges, at the same time offering information about colleges, courses, entrance exam details, admission notifications, scholarships, and all related topics. Please visit below links:



    MCA good for you is it really helping you to develop your future career?


    Top 10 Bachelors in Computer Application (BCA) Colleges Or Universities in India

    ReplyDelete

Post a Comment

Popular posts from this blog

Reset root pass in ESXi 5.5

    In this post i will show how to reset root password in ESXi 5.5. For this first we need any bootable linux distributor. In my example i used Ubuntu 16.04.     Boot from Ubuntu disk. Select try Ubuntu, wait for loading. After full loading open Terminal. Type fdisk -l for list all partitions hypervisor/system image is located on the first 250 MB partition (/dev/sda5) which contains the state.tgz file. Mount /dev/sda5 to /mnt sudo -s mount /dev/sda5 /mnt. Go to the /mnt cd /mnt . Copy state.tgz to /tmp folder cp state.tgz /tmp , cd /tmp. Unarchive state.tgz tar xzf state.tgz then   tar xzf local.tgz Go to the /etc directory in /tmp folder  cd etc/ . For deleting resetting password open shadow file with nano shadow  delete the password hash of ESXi root account. Close nano editor. Readd etc/ folder to local.tgz : tar czf local.tgz etc after it readd local.tgz to state.tgz: tar czf state.tgz local.tgz . Copy state.tgz mnt/ folder: cp state.tgz /mnt/ . umount /mnt  .

Install Cisco AnyConnect on Ubuntu

Hi   In this post i will show how to  install Cisco AnyConnect on Ubuntu 19.10. First download soft from below link or from cisco.com site https://ftp.tugraz.at/tu-graz/vpn/ Once archive file  downloaded, extract it:     $ tar xvf anyconnect-predeploy-linux-64-3.1.14018-k9.tar.gz cd extracted folder:     $ cd anyconnect-3.1.14018/vpn/ install  Cisco AnyConnect using this command:     $ sudo ./vpn_install.sh After installing you can open application. If application not opening. You have to install libpangox-1.0-0 to solve problem:     $ sudo apt-get install libpangox-1.0-0 That's all.