James Gardner

Debain Sudo

Posted in Debian by thejimmyg on the April 30th, 2007

Sudo is one of those command I use quite a lot but I’ve never understood how to properly configure it until today.

All settings are defined in /etc/sudoers but you cannot edit this file directly, instead use the visudo command (but you have to be root first by running su).

The Debian default looks like this:

# /etc/sudoers
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

To add a new user you can add a line similar to the last one:

james ALL=(ALL) ALL

This would give user james access to run sudo on any host (the first ALL), any command (the third ALL), as any user (the second ALL).

A common alternative setup is to specify something like %wheel ALL = (root) ALL which would mean any user in the wheel group (specified with the %) can run any command as root - using wheel for this purpose is something of a tradition. You can then manually add whichever users you like to the wheel group. Check there isn’t a wheel group already:

cat /etc/group | grep wheel

then add a new group:

addgroup --system wheel

now you can add users to the group:

adduser james wheel

You may need to log out and log in again for the changes to take effect, I didn’t.

Another useful use of sudo is to allow certain users to run certain commands which they wouldn’t ordinarily have permission for.

For example to create a shutdown command you might do this:

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown

Then you could give permission to a user to have this command like this:

james ALL = SHUTDOWN

You can even set this up so that password is not required when the user james uses sudo:

james ALL = NOPASSWD: SHUTDOWN

This sort of technique is very handy to allow for example a web-based application to run certain very specific commands.


http://www.debianhelp.co.uk/sudo.htm
http://www.debian-administration.org/articles/33
http://netmaking.wordpress.com/2007/03/27/configuring-sudo/

Leave a Reply