Pick a Free OS

User login


Psudo root!

The /etc/sudoers file is where you set the users as well as the programs they are allowed to run using sudo. It must only be edited using visudo(8) and ideally with the -s flag, which does strict syntax checking (sudo will not run if the /etc/sudoers contains errors) and also locks the file against multiple access. visudo does not require vi. An alternate editor can be set using the $EDITOR or the $VISUAL environment variable. The syntax of the sudoers file is extensively documented in the sudoers(5) man page, but it is quite confusing in the beginning.

The important thing to remember is that the sudoers file contains two types of statements.

  • Aliases - Where variables are defined.
  • User Specifications - Specifies who may run what.
  • Alias can be of four types

    • User_Alias - Who can run the program.
    • Runas_Alias - Who should the program be run as (defaults to root).
    • Host_Alias - On which hosts should the program be allowed to run.
    • Cmnd_alias - Commands allowed.
    • Let's create a sample /etc/sudoers file using visudo -s

      We've setup the following simple aliases

      # User alias specification

      User_Alias TRUSTED = cnb, mayank, sacs

      # Cmnd alias specification

      Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/halt

      Cmnd_Alias KILL = /bin/kill, /usr/bin/killall

      Now we put in the User Specification entries.

      # User privilege specification

      root ALL=(ALL) ALL

      ALL ALL=/usr/bin/wvdial


      Note: ALL in the above entries is a reserved sudo word which causes all matches to succeed.

      Let us dissect the first entry

      root ALL=(ALL) ALL

      This entry is in the form of

      User_Spec Host_Spec=(Runas_Spec) Cmnd_Spec

      The first word root is the user who will run the command. The first ALL allows the user to run the command on any host. The next (ALL) allows any user to run the command. And finally, the last ALL allows the user to run any command.

      Thus it implies let root run on any host, as any user, any command.

      The Runas_Spec can be dropped when the required privileges are those of root, as the Runas_Spec defaults to root. Thus in the second line we see,