Search iEntry News

UnixProNews
SecurityProNews
ITmanagement








Configuring Your Sudoers File

By Bryan Young
Expert Author
Article Date: 2010-10-05

If you are managing a Unix network, you know that there are things that must be done on a regular basis that require root authentication or user privilege elevation. There are three general options available to you. First, you can be constantly on call from your users, authenticating their commands yourself. This is a good way to lose weight as you will be running around constantly, but not a great way to run a network. Second, you can give out the root password. Ha, ha, ha, I know silly right?

The third and smartest option is to set up your /etc/sudoers file to allow selective permissions elevations.

First and foremost, you should not edit the /etc/sudoers file directly. There is a useful command built into the sudo system, visudo, which when run as root will allow you to edit the file safely. Once open, you can begin customizing the permissions for various users and groups. Aliases can be set up to make it easier to manage. There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias, and Cmnd_Alias. These are just variables or placeholders. For instance, you can set certain users under one name by saying 



# web administrators

User_Alias WEBMASTER = bob, clark



The # indicates a comment. From now on, if you put WEBMASTER, sudo will treat is as both bob and clark. This can be done for commands also. 



# web commands

Cmnd_Alias APACHECMNDS = /usr/sbin/apache, /usr/sbin/httpd, 

/etc/init.d/httpd



You can use to place your aliases on different lines for code clarity. Let's take a look at a few examples. 



# anyone in group topdogs can run any command

%topdogs ALL = (ALL) ALL

# webadmins can do apachecmnds as user 'www'

WEBMASTER ALL = (www) APACHECMNDS

# bob can also use the kill command or any command in the

# /usr/local/bin/ directory on the server named 'chicken'

bob chicken = /usr/bin/kill, /usr/local/bin

# john can run all the apachecmnds except /etc/init.d/httpd

clark ALL = APACHECMNDS, !/etc/init.d/httpd



As you can probably tell, the format for each line is %groupuser machine = (user to run command as) commands available. If you need to exclude a command, use a !. Now you have the basics you need to set up your users with the commands they need to use on a regular basis.
About the Author:
Bryan Young is a staff writer for WebProNews.

Newsletter Archive | Article Archive | Submit Article | Advertising Information | Resources | About Us | Contact

UnixProNews is an iEntry, Inc. ® publication - All Rights Reserved Privacy Policy and Legal