Table of Contents:
Program: sudo
Configuration File: /etc/sudoers
[ref: sudo(8), sudoers(5), visudo(8), su(1)]
sudo allows administrators to provide restricted access to superuser privileges.
sudo allows the administrator to provide certain users the ability to execute commands as another user, one advantage of using sudo is to grant users temporary and restricted access to Super User privileged programs and execution mode. This howto does not delve into the intricacies of security but how to setup a limited sudo system.
A better tutorial can be found at O'Reilly Network's BSD Column 'Eliminating Root with Sudo'
Scenario:
2 x OpenBSD Servers (rowlands, and pott)
4 x restricted access accounts (mycall, sionef, samm, sepiuta)
An example use for sudo is we maintain systems for high-schools. Since the systems are not live 24 hours it would be good for a select small group to have the abilities to shutdown the system and to addusers.
Two accounts I would like to have the ability to shutdown the machines and create new user accounts. (userids: mycall, sionef). Two accounts I only want to give the ability to create new user accounts. (samm, sepiuta)
Create the file: /etc/sudoers
|
# Host alias specification
# Cmnd alias specification
# User specification |
The /etc/sudoers specifies the privileges we provide for users. We can specify the user, the hosts on which they can execute privileged commands, as well as the privileged commands they are allowed to use.
| $ su |
| password: |
| # chmod 0440 /etc/sudoers # exit |
| exit |
| $ |
The final part of configuring sudo is to change the file settings of /etc/sudoers to 0440.
Userid: mycall can now execute the shutdown process or the adduser program from his own shell account.
For example:
| $ whoami |
| mycall |
| $ sudo shutdown -r +15 "quick reboot" |
|
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:
#1) Respect the privacy of others. #2) Think before you type.
|
| Password: ***** <-- authenticate mycall |
| Shutdown at (date) (time) (year) shutdown: [pid pid-#] $ *** System shutdown message from mycall@hostname *** System going down at (time) quick reboot |
In the above example, mycall has executed the shutdown process by first specifying "sudo." After sudo parses the command line it authenticates mycall by requesting the login password. After authentication sudo executes the command given to it.
[ref: sudoers(5)]
The following are taken directly from the man page (ie. go ahead and read it for clearer explanation of the settings.
First, we define our aliases:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
|
Here we override some of the compiled in default values. We want sudo to log via syslog(3) using the auth facility in all cases. We don't want to subject the full time staff to the sudo lecture, and user millert need not give a password. In addition, on the machines in the SERVERS Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years.
# Override builtin defaults
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
The User specification is the part that actually determines who may run what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
We let root and any user in group wheel run any command on any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating themselves.
PARTTIMERS ALL = ALL
Part time sysadmins (bostley, jwfox, and crawl) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only <128.138.204.0> has an explicit netmask (in CIDR notation) indicating it is a class C network. For the other networks in CSNETS, the local machine's netmask will be used during matching.
lisa CUNETS = ALL
The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0).
operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
/usr/oper/bin/
The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/.
joe ALL = /usr/bin/su operator
The user joe may only su(1) to operator.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user bob may run anything on the SPARC and SGI machines as any user listed in the OP Runas_Alias (root and operator).
jim +biglab = ALL
The user jim may run any command on machines in the biglab netgroup. Sudo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the secretaries netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands on all machines.
fred ALL = (DB) NOPASSWD: ALL
The user fred can run commands as any user in the DB Runas_Alias (oracle or sybase) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the ALPHA machines, user john may su to anyone except root but he is not allowed to give su(1) any flags.
jen ALL, !SERVERS = ALL
The user jen may run any command on any machine except for those in the SERVERS Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the SERVERS Host_Alias, jill may run any commands in the directory /usr/bin/ except for those commands belonging to the SU and SHELLS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
The user steve may run any command in the directory /usr/local/op_commands/ but only as user operator.
matt valkyrie = KILL
On his personal workstation, valkyrie, matt needs to be able to kill hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply su(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candiate for encapsulating in a shell script.
Copyright (c) 2000/1/2 Samiuela LV Taufa. All Rights Reserved.
I reserve the right to be totally incorrect even at the best advice of betters. In other words, I'm probably wrong in enough places for you to call me an idiot, but don't 'cause you'll hurt my sensibilities, just tell me where I went wrong and I'll try again.
You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.
|
sudo - selective access RooT |
Copyright © 2000/1/2 NoMoa Publishers All rights reserved. Caveat Emptor