Understanding the /etc/sudoers file in Linux

Home > Search
  by

Files in the /bin directory can be run without elevated privileges. For example, the pwd (present working directory) command is in the /bin directory (/bin/pwd). Any user will be able to execute the pwd command, because the pwd command does not require elevated privileges.

[Tim@server1 ~]# pwd
/home/Tim

 

Commands in the /sbin directory, such as ifdown and ifup, require elevated privileges. In this example, when Tim attempts ifdown or ifup, a permission denied message appears. 

[Tim@server1 ~]# ifdown eth0
Permission denied

 

The /etc/sudoers file is what is used to determine if a user has permission to run commands that require elevated privileges. The /etc/sudoers file should not be edited using your preferred editor, such as VI or Nano, because improperly editing the /etc/sudoers file can remove the ability to run commands that require elevated privileges. The visudo command should be used to edit the /etc/sudoers file. Only root can execute the visudo command.

The syntax of lines in the /etc/sudoers file is users hosts=(user:group) commands. By default, there should be a line that allows root to run all commands that require elevated privileges. Do not comment out this line.

root ALL=(ALL:ALL) ALL

 

Sometimes, the line will only have (ALL) instead of (ALL:ALL). This means that ALL is only applied to user, and not to group.

root ALL=(ALL) ALL

 


SUDO

By default, there should be a line that allows the sudo command to be used to run all commands that require elevated privileges. On most systems, this line will start with %sudo.  Do not comment out this line.

%sudo ALL=(ALL:ALL) ALL

 

On some systems, such as CentOS, the line will start with %wheel. Do not comment out this line.

%wheel ALL=(ALL:ALL) ALL

 

If the sudo command is used by a user that is not a member of the sudo or wheel group, a message should be displayed when the user attempts to use sudo.

[Roger@server1 ~]# sudo reboot
sudo password for Roger: *******
Roger is not in the sudoers file. This incident will be reported.

 

Users that are members of the sudo or wheel group will be allowed to use the sudo command to run commands in the /sbin directory. In the prior examples, the NOPASSWD option was not included with %sudo or %wheel. When the NOPASSWD option is not included, there will be a prompt to enter the users password.

[Tim@server1 ~]# sudo ifdown eth0
Password for Tim: ******

 

The NOPASSWD option can be included to prevent users from constantly having to type their password.

%sudo ALL=(ALL:ALL) NOPASSWD: ALL
%wheel ALL=(ALL:ALL) NOPASSWD: ALL

 


USERS

Because the sudo command will prompt for the users password, user may complain about always having to enter their password. While it is possible to give a user permission to run every command that requires elevated privilege, this is strongly discouraged, and should only be done in the most extreme situations.

Tim ALL=(ALL:ALL) ALL

 

Instead of ALL, you can list certain permissions a user can have. For example, to allow Tim to execute the ifup and ifdown commands without the need to use sudo. Notice this in example that (ALL:ALL) was not included. It is not mandatory to include (user:group). 

Tim ALL=/sbin/ifup, /sbin/ifdown

 


GROUPS

If there are multiple users that require permission to run certain commands with elevated privilege, you can add the users to a group, and the give the group permission to run certain commands with elevated privileges. Groups will be preceded by the % character. To allow members of the admins group to be able to run ifup and ifdown:

%admins ALL=/sbin/ifup, /sbin/ifdown

 


ALIASES

Recall that the syntax of lines in the /etc/sudoers file is users hosts=(user:group) commands. Aliases can be used for each section. Let's take an example where multiple users need permission to run multiple commands on certain hosts using a certain user and group. For example, Tim and Tammy and Roger and Dawn need permission to execute the halt and init and poweroff and reboot and shutdown and telinit commands on 192.168.0.6 as admins.

Tim,Tammy,Roger,Dawn 192.168.0.6=(admins)/sbin/halt, /sbin/init, /sbin/poweroff, /sbin/reboot, /sbin/shutdown, /sbin/telinit

 

Aliases can be used. Instead of listing Tim, Tammy, Roger, Dawn, a User_Alias can be created.

User_Alias      REBOOT_USERS = Tim, Tammy, Roger, Dawn

 

Instead of listing halt and init and poweroff and reboot and shutdown and telinit, a Cmnd_Alias can be created.

Cmnd_Alias      REBOOT_COMMANDS = /sbin/halt, /sbin/init, /sbin/poweroff, /sbin/reboot, /sbin/shutdown, /sbin/telinit

 

Instead of listing 192.168.0.6, a Host_Alias can be created.

Host_Alias      REBOOT_HOSTS = 192.168.0.6

 

Instead of listing root:admins, a Runas_Alias can be created.. 

Runas_Alias     REBOOT_RUNAS = admins

 

The aliases can then be used.

REBOOT_USERS       REBOOT_HOSTS=(REBOOT_RUNAS)REBOOT_COMMANDS

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments