When managing your /etc/sudoers files, it’s a good idea to organize user privileges in ways that make them easier to manage over the long haul and to assign permissions based on the roles that users play in your organization.
One very useful way to do that is to group related commands together — such as all commands related to running backups or managing web sites — and assign them to the individuals or groups that require these privileges.
Setting up command groups in /etc/sudoers
To create a command group, you use what is called a Cmnd_Alias in your /etc/sudoers file and give the new command group a meaningful name. Here are some examples. Note that full pathnames should be specified for all of the commands included in a group. Otherwise, you are likely to see an error like this when you try to exit visudo. And remember to only edit /etc/sudoers with the visudo command to allow it to warn you in ways like this and prevent errors.
>>> /etc/sudoers: syntax error near line 60 <<<
Command aliases like these might prove useful. Here, we’re grouping kill, password and shell commands together in three separate groups.
Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/pkill, /usr/bin/killall
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /bin/bash, /bin/dash, \
/usr/bin/rsh, /bin/rbash, /bin/static-sh
Anyone given access to any of these three command groups would then be able to run the associated commands using sudo (e.g., sudo kill 1234). The format for defining command aliases is fairly simple. Use \ to continue a definition to the next line.
Another very useful command group is one that you can use to keep users from running commands that might allow them to break free from restrictions you might want to impose. If someone can run visudo or vi as root, for example, they can change the /etc/sudoers file to change their and other users’ privileges.
Cmnd_Alias RESTRICTED=/usr/sbin/vipw, /bin/vi /etc/sudoers, \
/bin/su - root, /bin/su -, /usr/sbin/visudo
You can apply these restrictions by configuring users or groups to not have access in lines like these that ensure that users cannot run these commands using sudo:
jdoe ALL = (ALL)ALL, !RESTRICTED TECHSUPP ALL = ALL, !RESTRICTED
It's easy to trip over all the ALLs that you are likely to encounter in sudoers files. A quick what's what may be in order here. When you see something like ALL ALL=(ALL) ALL in a line in the /etc/sudoers file, here's what the ALLs mean:
The first ALL represents the users allowed to run the command (this can be an individual or group) The second ALL represents the hosts The third ALL is the target (who you are when running the command) The last ALL is the group of commands allowed
Any of the ALLs can be replaced with specifics as in the commands above that specify jdoe and TECHSUPP in the first position.
The structure for defining command groups is fairly simple:
Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/pkill
^ ^ ^
| | |
keyword name included commands
Command groups allow you to provide related sets of sudo privileges to specific groups or individuals — such as tech support folks who need to change users’ passwords and sysadmins who need to be able to kill processes or reboot systems — without having to give them the ability to run all commands as root.
Assigning command groups
Once command groups have been established, you can assign them to individuals. Descriptive comments in your /etc/sudoers file will help ensure that anyone else who might edit the sudoers file can easily understand what was intended.
# bob can change passwords and manage account password settings on all systems bob ALL = VIPW
You can also use command groups to deny users the ability to run a group of commands using sudo.
# jen can run commands on all servers except those in the security group jen ALL, !SECURITY = ALL
You can also restrict the use of a command group to a specific system.
# jdoe needs to be able to kill processes on the code management system jdoe pluto = KILL
The second of the three command group assignments above requires that the SECURITY group of servers is also defined in the /etc/sudoers file. It might look like this:
Host_Alias SECURITY = mercury, venus, mars
You can also define users in groups and assign privileges by user group.
User_Alias WEBMASTERS = slee, willy, liam
Disallowing access
As you can see from some of the examples above, an exclamation point in front of an item negates the access. For example, !SECURITY means any systems except those in the security group. In a similar manner, ! in front of a command means the command cannot be used with sudo.
# maryk may change passwords for anyone but root maryk /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
Defining other aliases
You can group commands, systems or users together with commands like those shown below.
command groups: Cmnd_Alias HALT = /usr/sbin/halt system groups: Host_Alias SECURITY = mercury, venus, mars user groups: %group = group defined in /etc/group such as %sudo or %admin User_Alias = group defined within the /etc/sudoers file User_Alias SYSADMINS = shs, jdoe, paul privilege groups: %wheel ALL = (ALL) ALL
The /etc/sudoers file on a newly installed systems generally has very little content.
You can have groups with only one member. While this might seem of extra work for little or no benefit, it makes for better organization overall because the consistent format will make the file easier to maintain as users are added and removed.
Wrap up
A well-organized /etc/sudoers file can make doling out system privileges easier and smarter. And here's a helpful tip on using the sudo command with ssh.
The best strategy for using ssh is to play around with your sudoers settings on a development system until you feel comfortable with its syntax and can keep the /etc/sudoers file organized in such a way that it's easy to read and update.