Explain Sudoers file Configuration in Linux
What We’ll Cover
- What is SUDOERS file in Linux ?
- What is SUDO in Linux?
- Why SUDOERS and SUDO ?
- What is /etc/sudoers ?
- What is /etc/sudoers.d/ ?
- Why /etc/sudoers.d/ ?
- The /etc/sudoers file configurations
- Conclusion
What is SUDOERS file in Linux?
The sudoers file is a file Linux administrators use to allocate system rights to system users. This permit actions of users, what can be done and what can not be done. In Linux there are different type of users (root user, system users, local users, network users).
What is SUDO in Linux?
Meaning of sudo is “substitute user do” or “super user do”. Sudo command allows temporarily elevate the current user (non root) account to have root privileges.
Why SUDOERS and SUDO ?
Local users don’t get privileges as much as root users get (default behavior). Sometime we need to have root (administrator) privileges to run command from a local user.
Eg: cat /etc/shadow
You can not view password information file “cat /etc/shadow” from a local/regular user. But if you execute same command with sudo as a prefix, it works.
Eg: sudo cat /etc/shadow
The /etc/shadow file contain password information (even passwords are encrypted). These are sensitive information, hence need to stored securely. Unauthorized users shouldn’t allow viewing this file. But in case a regular user need to access, you can configure that user as a sudo user to view that file.
What is /etc/sudoers ?
The sudo command allows non root users to run commands that would normally require super user privileges (root user). The sudoers file instructs the system how to handle the sudo command (what can each sudo user do).
The sudo is a command (prefix for Linux command) and sudoers is a file (/etc/sudoers).
What is /etc/sudoers.d/ ?
When we run sudo as a prefix for Linux command it checks whether that user configured in sudoers location. Default sudoers file locates /etc/sudoers (a file) and customize sudoers files can be create under /etc/sudoers.d (a directory). Customize changes overwrites default configurations.
The best way is to write separate/customize sudoers file under sudoers.d directory.
Why /etc/sudoers.d/ ?
Changes made to files in /etc/sudoers.d/ remain in place if you upgrade the system. This can prevent user lockouts when the system is upgraded. The sudoers files are very sensitive, any misconfigurations will affect to users logins. Making wrong change on default sudoers file can affect whole system.
The /etc/sudoers file configurations
General sudoers file format:
username/groupname servername/servergroup = (usernames command can be run as) command
Instead of mentioning specific names, we can logically group these thing. That will done by alias. In sudoers file there are different alias available to make this simple.
# User alias specification
User_Alias FULLTIMERS = albert, ronald, ann# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, mysql# Host alias specification
Host_Alias PRODSERVERS = master, mail, www, ns
Host_Alias DEVSERVERS = testdb, devapp1, preprod# Cmnd alias specification
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias VIEWSHADOW = /usr/bin/cat /etc/shadow# User specification
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# full time users can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL# peter may run anything on machines in DEVSERVERS
peter DEVSERVERS = ALL# jane may change passwords for anyone (except root) on PRODSERVERS
jane PRODSERVERS = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root# sam may run anything on the DEVSERVERS as DB owns(oracle, mysql).
sam DEVSERVERS = (DB) ALL# martin can run commands as oracle or mysql without a password
fred ALL = (DB) NOPASSWD: ALL# jen can run VIEWSHADOW commands on all machines except the ones PRODSERVERS
jen ALL, !PRODSERVERS = VIEWSHADOW
User Alias
We can specifies a group of users by username; simply which users can use “sudo” as a prefix for commands.
User_Alias FULLTIMERS = albert, ronald, ann
# full time users can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALLRunas Alias
This specifies a group of users by UID. We can define which accounts are authorized to “run commands as”. This allows sam user to run any command on DBSERVERS hosts as either oracle user or mysql user.
Runas_Alias DB = oracle, mysql
# sam may run anything on the DEVSERVERS as DB owns(oracle, mysql).
sam DEVSERVERS = (DB) ALLCmnd Alias
Command alias define a list of commands and directories.
Cmnd_Alias VIEWSHADOW = /usr/bin/cat /etc/shadow
# jen can run VIEWSHADOW commands on all machines except the ones PRODSERVERS
jen ALL, !PRODSERVERS = VIEWSHADOWHosts Alias
This specifies a list of hostnames.
Host_Alias DEVSERVERS = testdb, devapp1, preprod
# peter may run anything on machines in DEVSERVERS
peter DEVSERVERS = ALLInstead of specifying each hostname/ip address; group can be refer as DEVSERVERS.
Below are few examples with pointers to understand the scenarios.
Please read the comment lines to understand the how filtering has been configured for each and every case.
Sample Diagram 1
Hope you could able to understand the format of sudo parameters.
user hostgroup = ( user_ownership : group_ownership) commands %group hostgroup = ( user_ownership : group_ownership) commands
As per above sketch diagram you can see how each parameter refers which/user or ownership or host group or command set matches.
Furthermore look at below sketch drawn with arrows to point out the meaning of each parameter.
Sample Diagram 2
Conclusion
Conclusion
If you’re working with multiple users in Uni/Linux systems, understanding the sudo command and the sudoers file is an absolute must. This is not very easygoing theory to understand, but who ever works with Linux sudoers files should gain some more knowledge how each field matches.
Please comments if there is anything needed to be correct or change.
Thank you for reading.
