SUDO / SUDOERS / VISUDO
- In this exercise a Linux Debian server is used:
1 - Introduction
- sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.
- It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
- However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as "substitute user do".
- Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user.
- After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command.
- The configuration file sudoers offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.
- Installing sudo (in case it is not already installed by default):
- Properties of sudo:
- visudo is a command-line utility that allows editing the configuration file sudoers in a fail-safe manner.
- It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.
- In my Debian system visudo opens nano editor by default, but it could be changed to another preferred editor:
2 - Editing "sudoers" for users
- Editing sudoers and adding a configuration line for the user roch:
- If sudo is not used roch cannot perform the apt-get update command:
- However, now with the new line added to the file sudoers, the command sudo allows roch to update the system:
- Adding another line for the user johndoe. For instance in this example johndoe will be allowed to reload the Apache server:
- Going to the johndoe user account:
- When trying to reload Apache without sudo it fails:
- Using sudo it works:
3 - Editing "sudoers" for groups
- Creating the group team:
- Adding the user johndoe to the group team:
- Checking that the group team has been correctly created:
- Editing sudoers, let's add a line for the group team, allowing its members to update the system without using any password (NOPASSWD option):
- Going back to jonhdoe (member of the group team):
- Not allowed updating without sudo:
- However updating is successful for johndoe with sudo:
4 - Editing "sudoers" for alias
- Editing sudoers and i) creating the group alias TEAMER , ii) adding johndoe:
- Adding the command alias ON_OFF for both reboot and shutdown commands:
- Assigning ON_OFF to TEAMER:
- Going back to johndoe:
- Now johndoe can reboot the system successfully:
5 - Checking sudo configurations for users
- The sudo command with options (-l = list, -U = users) allows to consult the list of allowed/forbidden command for each user:
- Let's see some examples, like users root and johndoe who are part of the sudoers file:
- If the user is not part of the sudoers file, like marie: