2007-11-25

Sysadmin Sunday: A slightly more advanced intro to SUDO

Sudo is a neat utility which allows a computer to be administrated with out passing around the root password.

This article is meant for folks who are a step beyond the "Linux flavor of the week syndrome" and are needing to delegate responsibilities to other people with out letting the cat out of the bag. This document does not cover user and group restrictions only the run as super user aspect is covered.

1. Introduction
2. Basic demonstration
3. Configuration
4. Administrator Sluggo says ...
5. Informative resources
===========================================================
1 - Introduction
So here we are, we got a pile of people to take care of stuff for you but we need to limit each persons access to only what they need to do.

2 - Basic Demonstration
Most installations restrict sudo so it is un-useble. An admin needs to run the "visudo" command to add users or groups into sudo in order for it to allow some one to run an application as another user like root or some other powerful system user.

Sudo is similar in function to the switch user or "su" command. The difference is that where su is a dumb animal and asks for the target users password, sudo is configurable to authenticate to different account privileges in different ways and provides detailed logging and control to what applications can be executed with that users permissions.

One of the default setups which people choose is to allow all users in the wheel account to run as root privileges on all applications on all hosts. This is not an ideal setup obviously because any one in the wheel group becomes like root.

But lets say I am a backup administrator who for some reason needs root access to the whole machine.

somehost$ sudo tar -cvf /dev/tapedevice0 /
Then it will prompt me for my password (not roots) then execute tar with root privileges. With the same setup we could just as easily do this:

somehost$ sudo /bin/sh
It will then prompt me for my password, then give me a shell with root privileges.
This behavior can be changed of course which is the next topic.

3 - Configuration
The configuration file for sudo is typically in /etc/sudoers. But typically we would use the "visudo" command to configure the file.

USER or USER_ALIAS HOST or HOST_ALIAS = (TARGET USER OR USER_ALIAS) COMMAND OR COMMAND_LIST

Example:
Defaults!PAGERS        noexec //prevents shell escapes in pager programs
User_Alias ADMLIST = asmodianx
User_Alias USERLIST = will, wendy, wim
Runas_Alias TARGETLIST = root, operator
Host_Alias HOSTLIST = HOST1,HOST2
Cmnd_Alias PROGRAMLIST = /usr/bin/sh, /usr/bin/csh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/bin/ksh, /usr/local/bin/zsh
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
#-------------------
USERLIST HOSTLIST=(TARGETLIST)PAGERS
ADMLIST HOSTLIST=(TARGETLIST)PROGRAMLSIT

In this example we prevent shell escapes in the pager programs (less, more ...etc).
We then allow access to the shells for the admin user. Sudo is also network aware
PAM modules should work seamlessly but LDAP groups look like local groups I believe.
NIS+ networks or using rsh is where the network aware settings come into play.

4 - Administrator Sluggo says ...
Some Linux distributions have some silly concepts when it comes to default sudo configurations. SUSE for some reason thinks that sudo is some kind of replacement for su, so it enables sudo commands for all members of the "users" group only if they know the target users password. Assigning root shells is generally a bad thing too but this depends heavily on your management style.

5 - Informative resources:
http://www.wlug.org.nz/SudoHowto
http://www.linuxhelp.net/guides/sudo/
http://www.gratisoft.us/sudo/man/sudo.html

blog comments powered by Disqus