Setting up sudo

One clear benefit of sudo is that users don't have to remember another password to be able to run commands as root. Besides, you probably don't want them to have general root access. It's also extremely handy when you want someone to have temporary root access; you don't even have to provide them with the password. Just enable them to "sudo su" and they'll acquire root access just by using this command and their own password.

You can give full root access to a system without providing the root password by using a record like this in the sudoers file:

visadmin  ALL=/usr/bin/su

You would add a line such as this to the sudoers file using the visudo command.

For more general use, you can specify the commands that you want particular users to be able to run as root or not be able to run as root. It's far easier, however, and more secure to list the commands that you want your users to run with the authority of root, rather than those you want to block them from using. Blocking can be easy to defeat (e.g., if they create a symbolic link to a command they're not allowed to execute) as shown in the example below. Besides, it's hard to consider all the possible ways around the controls or remember to update the sudoers file after you have added new tools.

boson> sudo date


Sorry, user shs is not allowed to execute '/usr/bin/date' as root on boson.

Jul 22 15:24:24 boson sudo: [ID 702911 local2.alert] shs : command not

allowed ; TTY=pts/2 ; PWD=/export/home/shs ; USER=root ; COMMAND=/usr/bin/date

boson> which date


boson> ln -s /usr/bin/date dt

boson> ls -l dt

lrwxrwxrwx 1 shs other 13 Jul 22 10:22 dt -> /usr/bin/date

boson> sudo ./dt


Wed Jul 22 10:23:38 EDT 2009

Sudo access rules are simple in structure, but a little dense, especially when they contain a whole bunch of ALLs like "SYSADMINS ALL = ALL" or even "ALL ALL=(ALL) ALL" and you're not sure what each of these "ALLs" is meant to accomplish.

ALL is a placeholder. Its basic definition is "match everything". If you put ALL in a field which is meant to identify a user who is being given the ability to run certain commands as root, ALL means all users. If ALL is used in the command field, it means all commands. The "ALL ALL=(ALL) ALL" specification would then mean that everyone can do everything as root. Not a good setting! But maybe an OK example.

    ^   ^    ^    ^
    |   |    |    |
    1   2    3    4

1 = all users
2 = all terminals
3 = acting as any user
4 = all commands

The line "shs ALL=(ALL) ALL" would give all privileges to a user "shs".

If the third ALL in this command structure is puzzling, consider that you can use sudo to run commands for accounts other than root as is shown in the example below.

boson> sudo -u fred touch /tmp/x
-rw-r--r--   1 fred     other          0 Jul 22 11:03 /tmp/x

If the line in the sudoers file was "shs ALL=(eric) /usr/bin/touch", shs could only issue the touch command via sudo as the user eric.

The first column in the sudoers file represents users or aliases. It might be a individual username, an alias for a group of users (e.g., SYSADMINS) defined earlier in the file or a representation of all users (%users). It might an alias for a group of commands, systems or a "run as" alias.

Records in the sudoers file are applied in the order in which they are listed. If multiple lines apply to a particular sudo command, the one listed last is the one that is used. So, if one line says that you can issue a command as root and the next says you can't, you can't.

See "Setting up sudo, part 2" for some examples of sudoers files and how they work.

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
7 Wi-Fi vulnerabilities beyond weak passwords
Shop Tech Products at Amazon