Thursday, September 20, 2012

sudo sudoers cheat sheet

Every few months or so I have to modify the sudoers file, but I forget the syntax and the 'man' gives me headaches
I decided to write down simple examples.




Simple examples


#allow Bob to run 'sudo /bin/fdisk -l' on any machine
bob ALL= /sbin/fdisk -l

#allow Bob to run 'sudo /bin/fdisk -l' on any machine without typing his own password
bob ALL= NOPASSWD: /sbin/fdisk -l

#allow Bob to run 'kill' as Alice: 'sudo -u alice kill <anything>' 
#this lets Bob kill Alice's processes, for example: 'sudo -u alice kill 6432'
bob ALL= (alice) /bin/kill

#same without entering his own password
bob ALL= (alice) NOPASSWD: /bin/kill



Using unix groups


#allow all members of unix group 'bobsfriends' (as defined in /etc/group) 
#to issue the 'kill' command as 'bob'
%bobsfriends ALL= (bob) kill

#allow all member of unix group 'admin'
#to issue any command, as any user
%admin ALL=(ALL) ALL



Using aliases


These are definitions inside the sudoers file to define groups of users, set of commands  etc...
Note: Alias names must be UPPERCASE

#define a simple user group containing Bob and Alice
User_Alias BOB_AND_ALICE = bob , alice
#can be used later used as follows:
BOB_AND_ALICE ALL= /sbin/fdisk -l


#define a set of command to stop or reboot the system
Cmnd_Alias POWEROFFCMDS = /usr/sbin/shutdown,  /usr/sbin/halt, /usr/sbin/reboot
#and let Bob issue all these commands
bob ALL= POWEROFFCMDS


Less useful aliases:
Runas_Alias : As WHO the command may be run (list several users)
Host_Alias : Host list

More complex definitions are possible for groups with wildcards (*) and substraction etc... in this case RTFM


Other notes

  • edit with 'visudo' to auto-validate the file
    change the default editor:  export VISUAL=vi
  • Unless I share the sudoers file, I don't care about the second field which is the host, and always put 'ALL'





No comments:

Post a Comment