I decided to write down simple examples.
Simple examples
#allow Bob to run 'sudo /bin/fdisk -l' on any machine
bob ALL= /sbin/fdisk -l
#allow Bob to run 'sudo /bin/fdisk -l' on any machine without typing his own password
bob ALL= NOPASSWD: /sbin/fdisk -l
#allow Bob to run 'kill' as Alice: 'sudo -u alice kill <anything>'
#this lets Bob kill Alice's processes, for example: 'sudo -u alice kill 6432'
bob ALL= (alice) /bin/kill
bob ALL= (alice) /bin/kill
#same without entering his own password
bob ALL= (alice) NOPASSWD: /bin/kill
Using unix groups
#allow all members of unix group 'bobsfriends' (as defined in /etc/group)
#to issue the 'kill' command as 'bob'
%bobsfriends ALL= (bob) kill
#allow all member of unix group 'admin'
#to issue any command, as any user
%admin ALL=(ALL) ALL
Using aliases
These are definitions inside the sudoers file to define groups of users, set of commands etc...
Note: Alias names must be UPPERCASE
#define a simple user group containing Bob and Alice
User_Alias BOB_AND_ALICE = bob , alice
#can be used later used as follows:
BOB_AND_ALICE ALL= /sbin/fdisk -l
#define a set of command to stop or reboot the system
Cmnd_Alias POWEROFFCMDS = /usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/reboot
#and let Bob issue all these commands
bob ALL= POWEROFFCMDS
Less useful aliases:
Runas_Alias : As WHO the command may be run (list several users)
Host_Alias : Host list
More complex definitions are possible for groups with wildcards (*) and substraction etc... in this case RTFM
Other notes
- edit with 'visudo' to auto-validate the file
change the default editor: export VISUAL=vi
- Unless I share the sudoers file, I don't care about the second field which is the host, and always put 'ALL'
