HTTP Expert

Tag: sudo

  • Sudoers file explained

    Sudoers file explained

    Overview

    • The sudoers file controls which users may run which commands as which target users on which hosts, and it also configures sudo behaviour.
    • Location: /etc/sudoers (do not edit directly). Use visudo to edit (visudo locks the file and checks syntax).
    • You can drop additional configuration files into /etc/sudoers.d and include them with the built-in #includedir or #include directives.

    Basic file structure and syntax tokens

    • Lines beginning with # are comments.
    • Blank lines are ignored.
    • Fields are generally space- or tab-separated.
    • Keywords and identifiers are case-sensitive.
    • Common keywords: User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias, Defaults, and user specifications.

    Aliases

    • Define groups for reuse.
    • Types:
      • User_Alias NAME = user1, user2, %group, +netgroup
      • Runas_Alias NAME = user1, user2, :group
      • Host_Alias NAME = host1, host2, 192.0.2.0/24
      • Cmnd_Alias NAME = /path/to/command, /path/to/cmd arg1, /bin/sh -c
    • Examples:
      • User_Alias ADMINS = alice, bob, %wheel
      • Cmnd_Alias SYSTEMCTL = /bin/systemctl, /usr/bin/systemctl

    User specifications (the most important lines)

    • General form: who where = (runas) [tag_list:] command_list
      • who: username, User_Alias, %group (groups prefixed with %), +netgroup
      • where: Host_Alias, hostname, IP, or ALL
      • runas: user or Runas_Alias in parentheses, e.g. (root), (www-data)
      • tag_list: optional command tags (NOPASSWD:, PASSWD:, NOEXEC:, SETENV:, etc.)
      • command_list: comma-separated commands or Cmnd_Alias entries
    • Common examples:
      • root ALL=(ALL) ALL
        • root may run any command as any user on any host (typical default)
      • %wheel ALL=(ALL) ALL
        • members of group wheel may run any command as any user
      • alice webservers = (root) NOPASSWD: /usr/sbin/service httpd restart
        • on host(s) in alias webservers, alice may run the listed service command as root without a password
      • bob ALL = (www-data) /usr/bin/tee /var/www/html/index.html
        • bob may run tee as user www-data for that file

    Command tags

    • NOPASSWD: run the command without prompting for the user’s password
    • PASSWD: force password prompt even if NOPASSWD would apply
    • NOEXEC: prevent the command from using exec(3) to spawn new processes (not foolproof)
    • SETENV: allow setting environment variables via sudo -E / sudo -s? (controls env handling)
    • Examples:
      • alice ALL = NOPASSWD: /bin/systemctl reload nginx
      • %ops ALL = (root) NOEXEC: /usr/bin/less /var/log/*

    Negation

    • You can prefix a command with ! to explicitly disallow it:
      • %staff ALL=(ALL) ALL, !/usr/bin/passwd
    • An explicit negation in a command list prevents that command even if a more general entry would allow it.

    Wildcards and command arguments

    • Commands must be specified with absolute paths.
    • Wildcards/glob characters are allowed in Cmnd_Alias entries (e.g. /usr/bin/apt-get *) but be cautious—globs can expand permissions widely.
    • If you allow a program that permits shell escapes or arbitrary arguments (e.g., editors, shells, tee, find), it is effectively root access.

    Defaults (configuration options)

    • Defaults lines configure sudo’s behavior (environment, logging, timeouts, secure_path, env_keep, etc.).
    • Basic form:
      • Defaults option
      • Per-user: Defaults:username option
      • Per-host: Defaults@hostname option
      • Per-runas: Defaults>runas option
      • Per-command: Defaults!command option
    • Examples:
      • Defaults timestamp_timeout=15
      • Defaults env_reset
      • Defaults:alice !authenticate
      • Defaults@laptop secure_path=“/usr/local/bin:/usr/bin:/bin”
    • Many options exist: env_reset, env_keep, secure_path, timestamp_timeout, lecture, log_output, requiretty (deprecated on some systems), etc. See man sudoers.

    Include directives

    • #include /path/to/file — include a single file
    • #includedir /path/to/dir — include all files in a directory (lexicographic order)
    • Use these for packaged or per-package drop-ins such as /etc/sudoers.d/*

    Precedence and security notes

    • More specific Defaults override general Defaults.
    • Order of user specifications matters when you create complex overlapping rules—explicit negations take precedence for the same matching line.
    • Be careful with NOPASSWD and commands that allow shell escapes—these can give a full root shell.
    • Always edit with visudo. You can run visudo -c to check syntax without editing.
    • Keep sudoers and files in /etc/sudoers.d with strict permissions (typically 0440).

    Practical examples

    • Allow members of wheel to run any command:
      • %wheel ALL=(ALL) ALL
    • Allow a service admin to restart nginx without password:
      • alice ALL=(root) NOPASSWD: /bin/systemctl restart nginx, /bin/systemctl reload nginx
    • Allow a user to run a command as another unprivileged user:
      • bob ALL=(www-data) /usr/bin/tee /var/www/html/index.html

    Where to learn more

    • man sudoers — definitive reference with full syntax, tags and examples
    • man visudo — how to safely edit the file