Debain Sudo
| Posted: | 2007-04-30 15:33 |
|---|---|
| Tags: | Debian |
Sudo is one of those command I use quite a lot but I've never understood how to properly configure it until today.
All settings are defined in /etc/sudoers but you cannot edit this file directly, instead use the visudo command (but you have to be root first by running su).
The Debian default looks like this:
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL
To add a new user you can add a line similar to the last one:
james ALL=(ALL) ALL
This would give user james access to run sudo on any host (the first ALL), any command (the third ALL), as any user (the second ALL).
A common alternative setup is to specify something like %wheel ALL = (root) ALL which would mean any user in the wheel group (specified with the %) can run any command as root - using wheel for this purpose is something of a tradition. You can then manually add whichever users you like to the wheel group. Check there isn't a wheel group already:
cat /etc/group | grep wheel
then add a new group:
addgroup --system wheel
now you can add users to the group:
adduser james wheel
You may need to log out and log in again for the changes to take effect, I didn't.
Another useful use of sudo is to allow certain users to run certain commands which they wouldn't ordinarily have permission for.
For example to create a shutdown command you might do this:
# Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/shutdown
Then you could give permission to a user to have this command like this:
james ALL = SHUTDOWN
You can even set this up so that password is not required when the user james uses sudo:
james ALL = NOPASSWD: SHUTDOWN
This sort of technique is very handy to allow for example a web-based application to run certain very specific commands.