Debain Sudo
++++++++++++++

:Posted: 2007-04-30 15:33
:Tags: Debian

Sudo is one of those command I use quite a lot but I've never understood how to properly configure it until today.

All settings are defined in ``/etc/sudoers`` but you cannot edit this file directly, instead use the ``visudo`` command (but you have to be ``root`` first by running ``su``).

The Debian default looks like this::

    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #
    
    Defaults        env_reset
    
    # Host alias specification
    
    # User alias specification
    
    # Cmnd alias specification
    
    # User privilege specification
    root    ALL=(ALL) ALL

To add a new user you can add a line similar to the last one::

    james    ALL=(ALL) ALL

This would give user james access to run sudo on any host (the first ALL), any command (the third ALL), as any user (the second ALL).

A common alternative setup is to specify something like ``%wheel ALL = (root) ALL`` which would mean any user in the wheel group (specified with the %) can run any command as root - using wheel for this purpose is something of a tradition. You can then manually add whichever users you like to the wheel group. Check there isn't a wheel group already::

    cat /etc/group | grep wheel

then add a new group::

    addgroup --system wheel

now you can add users to the group::

    adduser james wheel

You may need to log out and log in again for the changes to take effect, I didn't.

Another useful use of sudo is to allow certain users to run certain commands which they wouldn't ordinarily have permission for.

For example to create a shutdown command you might do this::

    # Cmnd alias specification
    Cmnd_Alias      SHUTDOWN = /sbin/shutdown

Then you could give permission to a user to have this command like this::

    james ALL = SHUTDOWN

You can even set this up so that password is not required when the user james uses sudo::

    james ALL = NOPASSWD: SHUTDOWN

This sort of technique is very handy to allow for example a web-based application to run certain very specific commands.

* http://www.debianhelp.co.uk/sudo.htm
* http://www.debian-administration.org/articles/33
* http://netmaking.wordpress.com/2007/03/27/configuring-sudo/