A setuid program doesn't necessarily mean root access. A setuid program owned by a different user would give you that user's effective id. The sudo program can also change your effective id while it is running- I'll be showing an example of that here.

Finally, setuid and sudo are NOT the same thing as the administrative roles of Unixware or the authorizations and privileges of SCO Openserver. Those are entirely different concepts and I won't be talking about those things in this article.

/etc/sudoers

You use "visudo" to edit the sudoers file. There are two reasons for that- it prevents two users from editing the file at the same time, and it also provides limited syntax checking. Even if you are the only root user, you need the syntax checking, so use "visudo".

We're going to start with the simplest setup of all: giving someone full root access. You might think there's no reason to do this- it would make more sense just to give them the root password, wouldn't it? Well, maybe, but then they can login as root also- with sudo they will have to use the sudo command and we can require a password that IS NOT root's password. Sudo commands can be logged, so we can keep track of what the person did. We can turn their sudo capability on or off at will without affecting other sudo users- no need to change the root password back and forth. This is a great way to keep track of consultants and other support people who may need root power, but you want to keep tabs on what they do. Of course there's a strong implication of honesty here- such a user could edit the sudo logs to hide any mischief.

So, here's a simple /etc/sudoers file (remember, edit with "visudo") to give "jim" access to root commands.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#

# User privilege specification
root    ALL=(ALL) ALL
jim     ALL=(ALL)       ALL

That's it. With this in place, "jim" can use sudo to run any command with root privileges. Here's "jim" catting /etc/shadow:

[jim@lnxserve jim]$ head -5 /etc/shadow
cat: /etc/shadow: Permission denied
[jim@lnxserve jim]$ sudo head -5 /etc/shadow
Password:
root:$bukQnNBS$dkGDMUTf1.W5r1VE4OYLy.:11595:0:99999:7:::
bin:*:11595:0:99999:7:::
daemon:*:11595:0:99999:7:::
adm:*:11595:0:99999:7:::
lp:*:11595:0:99999:7:::
[jim@lnxserve jim]$ 

Note that "jim" does not get root's PATH; his PATH is used by sudo (with exceptions noted later). If "jim" wanted to run (for example) lpc, he'd have to explicitly do "sudo /usr/sbin/lpc". That's typical, although sudo can be compiled to use its own compiled in PATH instead.

The password requested is NOT root's. In this case, "jim" has to provide his own login password to get sudo to work.

By default, sudo remembers the password for 5 minutes and won't ask again if reinvoked within that time:

[jim@lnxserve jim]$ sudo head -5 /etc/shadow
root:$bukQnNBS$dkGDMUTf1.W5r1VE4OYLy.:11595:0:99999:7:::
bin:*:11595:0:99999:7:::
daemon:*:11595:0:99999:7:::
adm:*:11595:0:99999:7:::
lp:*:11595:0:99999:7:::
[jim@lnxserve jim]$ 

The password behavior is entirely configurable: the password can be set to time out earlier, later, never or to be required always. Additionally, the password requested can be root's instead of their own. Let's change "jim" a bit by adding this line:

# Defaults specification
Defaults:jim    timestamp_timeout=0, runaspw, passwd_tries=1

This changes three things. First, "jim" needs root's password to run sudo (because of "runaspw"). Second, the password will not be remembered (timestamp_timeout), and he gets only one chance to enter it (the default is three tries).

If we set timestamp_timeout to -1, "jim" will only have to prove that he knows the password once. After that, it will not be forgotten, even if he logs out.

Different users can, of course, have different defaults. Here I've changed "jim", and added a new user "linda"

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
Defaults:jim    timestamp_timeout=0 
Defaults:linda  timestamp_timeout=-1, runaspw

# User privilege specification
root    ALL=(ALL) ALL
jim     ALL=(ALL)       ALL
linda   ALL=(ALL)       ALL

Jim and Linda have different defaults. A "Default" not followed by a ":" and a user name will apply to everyone (example further on).

Logging

Now let's add some logging. Without doing anything special, sudo logs authentication failures to syslog, but by adding another default, we can track every command run:

Defaults logfile=/var/log/sudolog

Notice that this time there is no ":". This default therefore applies to everyone.

With this in place, all sudo commands will be logged:

# /var/log/sudolog
Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow

There's a limitation though:

[jim@lnxserve jim]$ sudo cat /etc/shadow > /tmp/shadow
Password:
[jim@lnxserve jim]$ sudo cat /var/log/sudo*
Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 07:02:35 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 07:02:49 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /var/log/sudolog
[jim@lnxserve jim]$ 

The redirection to /tmp/shadow does not show up in the log. That makes perfect sense: redirection is done by the shell before the commands are run, so sudo doesn't even see the redirection at all.

Security

You might at this point suddenly think "Oh no- that means a sudo user could overwrite important files". We haven't limited the sudo users command set yet, but even if we do, what stops them from using such commands to pervert system files or other commands?

Well, remember that the shell does the redirection BEFORE sudo runs. If the redirection can't be done because of permissions, the command will fail.

[jim@lnxserve /tmp]$ sudo date > /etc/shadow
bash: /etc/shadow: Permission denied
[jim@lnxserve /tmp]$

So that's one thing you don't need to worry about. Actually, sudo itself makes reasonable efforts to protect you from malicious michief by a sudo user. Running "sudo -V" as root shows sudo's settings; part of that is environment variables that it will not pass on or that it will check for dangerous content:

Sudo version 1.6.4
... (stuff deleted)
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS

That's the default list; you can add or subtract from it in /etc/sudoers. Note that if you do add or subtract variables, "sudo -V" doesn't reflect those changes.

Let's try that out with our test user. First, we need a simple shell script that will show us the value of environment variables. I'll call it "showme":

We'll have "jim" try it out before making any changes to sudoers:

[jim@lnxserve jim]$ cat showme
set | grep 
[jim@lnxserve jim]$ export ENV
[jim@lnxserve jim]$ ./showme ENV
BASH_ENV=/home/jim/.bashrc
[jim@lnxserve jim]$ sudo ./showme ENV
SUDO_COMMAND='./showme ENV'

The ENV variable is not picked up by sudo even though it was marked for export. Ordinarily, environment variables would be passed:

[jim@lnxserve jim]$ export BOOP=betty
[jim@lnxserve jim]$ ./showme BOOP
BOOP=betty
[jim@lnxserve jim]$ sudo ./showme BOOP
BOOP=betty
SUDO_COMMAND='./showme BOOP'
[jim@lnxserve jim]$ 

But we can add to the list of variables to discard:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP"

Note the "+=" to ADD to the environment list. If we had just used "=", that would have replaced all of sudo's defaults. You can also use "-=" to subtract a default variable and allow it to be passwd.

Now "jim" won't get BOOP in his sudo environment.

[jim@lnxserve jim]$ sudo ./showme BOOP
SUDO_COMMAND='./showme BOOP'

Sudo also rearranges your PATH internally. That can be a little confusing:

[jim@lnxserve jim]$ cat ./showme
echo "I'm in /home/jim"
set | grep 
[jim@lnxserve jim]$ cat ./bin/showme
echo "I'm in /home/jim/bin"
set | grep 
[jim@lnxserve jim]$ export PATH=".:$PATH"
[jim@lnxserve jim]$ showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
[jim@lnxserve jim]$ sudo showme PATH
I'm in /home/jim/bin
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='/home/jim/bin/showme PATH'
[jim@lnxserve jim]$ 

Although PATH still shows "." at the beginning, the showme in /bin is what is run by sudo. Internally sudo has ignored the leading "." and moved on to find "showme" in /home/jim/bin. Now let's remove the /home/jim/bin/showme:

[jim@lnxserve jim]$ rm bin/showme
[jim@lnxserve jim]$ sudo showme PATH
sudo: ignoring `showme' found in '.'
Use `sudo ./showme' if this is the `showme' you wish to run.
[jim@lnxserve jim]$ sudo ./showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='./showme PATH'
[jim@lnxserve jim]$ 

Limiting commands

There's more that sudo does to protect tyou from malicious mischief. The :man sudo" pages cover that completely. Let's continue with our examples; it's time to limit "jim" to specific commands. There are two ways to do that. We can specifically list commands, or we can say that jim can only run commands in a certain directory. A combination of those methods is useful:

jim     ALL=    /bin/kill,/sbin/linuxconf, /usr/sbin/jim/

The careful reader will note that there was a bit of a change here. The line used to read "jim ALL=(ALL) ALL", but now there's only one "ALL" left. Reading the man page can easily leave you quite confused as to what those three "ALL"'s meant. In the example above, ALL refers to machines- the assumption is that this is a network wide sudoers file. In the case of this machine (lnxserve) we could do this:

jim     lnxserve=       /bin/kill, /usr/sbin/jim/

So what was the "(ALL)" for? Well, here;s a clue:

jim     lnxserve=(paul,linda)   /bin/kill, /usr/sbin/jim/

That says that jim can (using "sudo -u ") run commands as paul or linda.

This is perfect for giving jim the power to kill paul or linda's processes without giving him anything else. There is one thing we need to add though: if we just left it like this, jim is forced to use "sudo -u paul" or "sudo -u linda" every time. We can add a default "runas_default":

Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP", runas_default=linda

I hope that this introduction will get you started. Now that you have the basics, the man pages for sudo and sudoers should make more sense.

Got something to add? Send me email.

113 comments

More Articles by Tony Lawrence

Find me on Google+

© 2015-02-02 Tony Lawrence

---January 13, 2005

You mignt want to have a look at what "Tidy for FreeBSD" has done to the title of the page, though, 'cos it don't look too tidy, to me!

---January 28, 2005

My fault.. been doing a lot of cleaning up with tidy, but apparently a little too quick and didn't check the errors closely enough.

--TonyLawrence







Fri Mar 25 05:07:33 2005: 233   anonymous


I find this article to be very useful as i always used to think whether is the principle sudo possible and now it became possible ...:). It wud be better if the Security part regarding environmental variables part is more elaborated.... Anyway, thanks for the article as it was useful for me, beginner...



Tue Mar 29 02:39:07 2005: 241   anonymous


Is it possible to specify the list of commands that are not allowed.



Tue Mar 29 10:02:16 2005: 243   TonyLawrence


Yes, it's POSSIBLE to say "these are the commands that you can't run", but it's not a good idea to do so. From the man page:

        jill           SERVERS = /usr/bin/, !SU, !SHELLS 



       For any machine in the SERVERS Host_Alias,
       jill may run any commands in the directory
       /usr/bin/ except for those commands belonging
       to the SU and SHELLS Cmnd_Aliases.

But (also from the man page):

       It is generally not effective to "subtract"
       commands from ALL using the ! operator.  A
       user can trivially circumvent this by copying
       the desired command to a different name and
       then executing that.  For example:



           bill        ALL = ALL, !SU, !SHELLS 



       Doesn't really prevent bill from running the
       commands listed in SU or SHELLS since he can
       simply copy those commands to a different
       name, or use a shell escape from an editor
       or other program.  Therefore, these kind of
       restrictions should be considered advisory
       at best (and rein- forced by policy).

Tue Mar 29 15:25:19 2005: 245   anonymous


Thank you for your response. So if I understand correctly, there is no effective way of subtractinga list of commands?



Tue Mar 29 16:48:18 2005: 246   TonyLawrence


Correct.. list the allowed commands or directory



Wed Dec 28 09:35:42 2005: 1463   channelspace


very nice article! thank you :)



Thu Jan 26 15:50:37 2006: 1568   Dan


Thanks for the article! I was actually trying to configure sudo last night for the first time and got kinda lost with the man pages. Then I found your article and now I can at least configure the sudoers file and test some users capabilities. I am trying to find a solution for my programmers where I don't have to give them the root password as they frequently need to su as another user on the system to troubleshoot their issues. So after going through various newsgroups, it seemed like sudo would be able to accomplish this. Is this assumption correct? Is the syntax "sudo su - 'username'" after I configure the sudoers file w/ the usernames of my programmers? Thanks for your help!



Thu Jan 26 16:16:59 2006: 1569   TonyLawrence


Nope.

They just do

sudo su -

Nothing more.

Or "sudo command"

if you've only given them access to specific commands.

(I'm assuming they want to be root - if it is some other user, then yes, sudo "su -" username would be it)





Sun Jan 29 23:38:41 2006: 1588   Dan


So I configured the sudoers file so when my programmers log in, they type "su - 'username of who they want to be'" and it works! Thanks!

How come there are some files owned by user "8036" and some owned by root in my SUDO directory?

case in point:

-rw-r--r-- 1 8036 system 640 Jan 25 16:56 sudoers
-rw-r--r-- 1 8036 system 60958 Nov 08 10:22 sudoers.cat
-rw-r--r-- 1 root system 57536 Jan 25 16:34 sudoers.man
-rw-r--r-- 1 8036 system 57727 Nov 08 10:22 sudoers.man.in
-rw-r--r-- 1 8036 system 44838 Nov 28 2004 sudoers.pod
-rw-r--r-- 1 8036 system 2902 Feb 12 2004 sudoers2ldif
-rw-r--r-- 1 8036 system 9920 Aug 02 2004 testsudoers.c
-rw-r--r-- 1 8036 system 6350 Jun 06 2004 tgetpass.c
-rw-r--r-- 1 root system 5232 Jan 25 16:36 tgetpass.o
-rw-r--r-- 1 8036 system 1814 Sep 11 2004 utimes.c
-rw-r--r-- 1 8036 system 1195 Nov 08 10:22 version.h
-rwxr-xr-x 1 root system 188507 Jan 25 16:37 visudo



Thanks!



Mon Jan 30 10:25:27 2006: 1589   TonyLawrence


The install had files owned by "8036". You don't have a user with that id.

That's not at all unusual and nothing to be concerned about, though you may want to change these just so it doesn't bite you if you ever do add a user and use that id.





Mon Jan 30 16:26:05 2006: 1591   Dan


Thanks!



Mon Jan 30 17:24:45 2006: 1592   Dan


What line would I put into my sudoers file to restrict users from su'ing to root.

I have user1 in group1 being able to su to other users w/o passwords which is what I want.

But I want to restrict user1 to su to root. They can su to other users but I don't want them to su to root.

right now user1 can su to root w/o a password.

Is there a way to do this?

Thanks!



Mon Jan 30 18:14:44 2006: 1593   TonyLawrence


Sure - see the "Limiting Commands" at the end of the article above.



Mon Oct 9 20:47:41 2006: 2508   anonymous


Nice article. Just what I needed. Though the one liner text boxes are a little irritating to scroll and read through.



Mon Oct 9 21:01:16 2006: 2509   TonyLawrence


Use the "Printer Friendly" link.

See (link) for WHY we have those.



Mon Dec 4 19:33:34 2006: 2687   anonymous


Really nice article. Was really helful
How can I configure sudo so that it will be able to monitor all activities performed by the pseudo administrators and report on any discrepancies.
Cheers



Mon Dec 4 20:02:44 2006: 2688   TonyLawrence


If you enable logging, you can track every command.. but it isn't up to sudo to decide something is a "discrepancy" - that's your job. If you don't want to let someone use a particular command, then configure it so.



Wed Mar 7 06:57:05 2007: 2905   erimin


I wanted to create a user with the access to stop/start apache, so i created this line :

%adminx ALL=NOPASSWD: /etc/rc.d/init.d/httpd

When i login as the user ( which belongs to the "adminx" group ), i got this error message when i issued command "/etc/rc.d/init.d/httpd restart" :

rm:cannot remove `/var/run/httpd.pid' : Permission Denied
Starting httpd:
Touch:cannot touch `/var/locl/subsys/httpd' : Permission Denied

What should i do to enable that particular to stop/start httpd service?



Wed Mar 7 11:50:48 2007: 2906   TonyLawrence


Apache runs as root during startup. This could get pretty complicated.. I think I'd use a setuid wrapper instead..






Wed Jun 20 20:03:20 2007: 3038   yanM


Nice article. Thanks. Is this possible to somehow set a command prompt when working with sudo? Say, I want the prompt to be % how can I set it?



Wed Jun 20 20:21:57 2007: 3039   TonyLawrence


You mean when you start a sudo shell..

Probably - can't think about it right now..



Wed Aug 15 09:59:48 2007: 3078   GermanJulian


(

Thank you I found the sudo article useful. good intro for a beginner :)





Fri Jan 4 17:16:20 2008: 3393   anonymous


Nice article!
I have one qustion:
How can I do so, that userA give permissions to userB to execute some commands, without userA to have access on the permissions on the another users(C,D...) ?



Fri Jan 4 18:34:48 2008: 3394   TonyLawrence


User A can't give permissions - root gives permissions with the conf file. Look at the examples.



Thu Jan 10 21:03:27 2008: 3434   anonymous


I think in this way as sample: userA has permission of #sudo -f /etc/allow/sudoers to allow userB to do something and #sudo -f /etc/deny/sudoers to restore the original config file! Is it possible?
file /etc/allow/sudoers the file with the permissions for userB...
of course userA can never give another permissions to userC.



Sun Jan 27 17:56:03 2008: 3537   pl1sk3n


Great guide but i can't start visudo?
I get this answer; visudo: /etc/sudoers: Permission denied,
Do you have a solution for this?



Sun Jan 27 18:04:42 2008: 3538   TonyLawrence


Are you root?



Sun Jan 27 18:33:25 2008: 3539   pl1sk3n


No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.



Sun Jan 27 18:42:37 2008: 3540   pl1sk3n


No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.



Sun Jan 27 19:07:45 2008: 3541   TonyLawrence


OK, so you were not in sudoers and you've lost your root password? See (link)





Sun Jan 27 19:53:16 2008: 3542   pl1sk3n


I know my password it did not work in su, authentication error. The problem started with a chown command i guess, don't remember exactly what i did wrong.
My ls -l command give this; ---s--x--x 1 keeej root 91776 /usr/bin/sudo. I'm i root anyway? If so how to fix that? Ps sorry about the dubbel posting above Ds



Sun Jan 27 20:06:41 2008: 3543   TonyLawrence


If you are already root, you can just edit the sudoers file directly: visudoers is simply to keep two roots from mucking there at the same time.

sudo should be owned by root: it's setuid (that "s") for the owner - which has to be root.

---s--x--x 1 root root 81644 Jan 14 15:36 /usr/bin/sudo

So if you ARE root:

chown root /usr/bin/sudo







Sun Jan 27 21:11:47 2008: 3544   pl1sk3n


Thank you for your effort but operation denied.
Maybe its time for a reinstall?
Rgds



Sun Jan 27 21:32:11 2008: 3545   TonyLawrence


Or you might try booting to single user and see if you can fix up things there.



Wed Mar 26 14:11:19 2008: 3901   anonymous


very usefull indeed...



Fri Jul 4 18:26:56 2008: 4390   amoe


Thanks for this article, the manpage was extremely intimidating, but this gives me basically everything I need. Respect knuckles.



Sat Jul 5 14:14:45 2008: 4391   MohamedMansour


Nice article! Keep the articles coming :)



Tue Sep 8 09:46:39 2009: 6870   anonymous


Thank you. most helpful. I can understand the meaning of all the ALLs now :)



Tue Oct 13 13:36:26 2009: 7220   MukeshDhiman


Very good !



Tue Nov 3 11:25:52 2009: 7415   Omar


Well done.

Regards

Omar Sattar



Tue Mar 2 13:33:17 2010: 8165   TonyLawrence




Updated sudo packages fix escalation vulnerabilities: (link)



Fri May 14 17:50:17 2010: 8595   Ian




Great article.
You just saved me from spending the rest of the afternoon trying to make sense of the man page.
Thank You!



Sat Jul 10 16:33:41 2010: 8807   bipul




I am using sudo inside a script. When it runs unix command it ask for password and always I have to provide it manually. Is there any way I can provide it dynamically ?
eg :
#!/bin/ksh
sudo cp file1.txt target_dir



Sat Jul 10 16:56:16 2010: 8808   TonyLawrence




You can set it to use no password, you can use the -A option, you can run your script with Expect or you can use a setuid program.



Thu Aug 5 07:24:20 2010: 8875   Navneet




Hi,

I wanted to stop haproxy service using the nagios nrpe plugin. I am able to stop the service using the sudo command from nagios user. But when i try stopping the service from remote nagios server. I am unable to do that.

When i try stopping the service remotely typically a shell script is executed by nagios user on the client machine. But it does not stops the service.

The shell script is as follows:

#!/bin/sh
sudo /etc/init.d/haproxy stop
echo "Stopped HA Proxy"

The output on the remote end is 'Stopped HA Proxy' but exactly the service is not stopped. Whereas if i run the same command in the script or script itself as nagios user. The service is stopped properly.

I will be seeking help.. Thanks is advance

Regards,
NAV



Tue Aug 17 21:42:51 2010: 8907   anonymous




I tried using sudo and was warned that if I continued to use it I would lose important files



Tue Aug 17 21:48:04 2010: 8908   TonyLawrence




Warned by who?

Do you mean the warning that sudo prints the first time you use it??????



Tue Aug 17 22:22:58 2010: 8909   anonymous




Hi,

The first time I used it without success, my computer crashed. The second time, I got the warning. From who, I don't know.



Tue Aug 17 23:15:30 2010: 8910   TonyLawrence




I don't think you should be using sudo and maybe you shouldn't be using Linux at all.



Sat Oct 23 13:03:41 2010: 9055   kimvirith




if you give permission passwd to user so mean that user can change password root also. do you have any solution to protect this?



Sat Oct 23 13:15:49 2010: 9056   TonyLawrence




"do you have any solution to protect this"

Specify the commands you want to allow.



Sat Oct 23 13:28:44 2010: 9057   anonymous




if you allow a sudo user to change password for default user.
this condtion sudo user can change password also.
so how can we solve this problem?



Sat Oct 23 18:12:45 2010: 9058   TonyLawrence




No, that is not the case at all. You have not bothered to read this page, have you? Read the section on limiting commands.







Sun Oct 24 05:25:47 2010: 9060   anonymous




let do it by yourself first.
example: visudo -f /etc/sudoers
tony ALL = ALL NOPASSWD:/usr/bin/passwd
then create alias for user tony to user command passwd
echo "alias passwd="sudo /usr/bin/passwd" >> /home/tony/.bashrc
then tony can use this command to change password root
passwd root
then its allow tony to change password
u ever think about this problem?
hope you reply me soon .. thank you for your information.



Sun Oct 24 11:38:16 2010: 9062   TonyLawrence




If they need to change their own password, they do it while logged in normally, without sudo. You don't LET them run "passwd" with sudo.

That's not entirely foolproof, of course. See (link) for more.











Mon Oct 25 09:52:34 2010: 9065   anonymous




what can we do if like this? if we not allow that user to run sudo how can they run another command?
i can fix alias for that user but that user can run sudo /usr/bin/passwd as well.
if i block sudo that user can not do anything.
can u example for me?
thank you in advance for your response






Mon Oct 25 10:43:28 2010: 9066   TonyLawrence




As is explained right here on this page, you can limit a sudo user to the specific commands you need them to be able to run. As explained in the other link I gave you, you do have to be careful that none of those commands give shell access.

Life is not perfect. When you trust people with power because they need it for some task, you always run some risk that they will abuse that power.

I think your basic issue is that you have not really read this page or the sudo man page and therefore do not understand what I have been trying to tell you. Read the section on Limiting Commands above and also that other link I gave you.

In the example I gave in Limiting Commands, Jim can't run just "sudo". He can't get a shell. He CAN run "sudo kill" or "sudo linuxconf" and the commands in /usr/sbin/Jim (which presumably he cannot write to) but that's it. He wouldn't be able to run "sudo passwd root" or "sudo passwd" anything.

If you still do not understand this, I can't offer you anything more. You need to READ.





Sat Dec 11 01:04:57 2010: 9158   albeba




Hi,
In effect nice article, i'm trying to give rights to a beginner user on "/etc/init.d/networking restart" cause we have a realy bad (public wifi) connection and need to regularly have a dhcp request done to the provider...
(the fact is that the "Network manager" of Gnome crashes sometimes so a networking restart is the more efficient to arrange it)

So i thought about adding this line to my sudoers file:

theuser themachine= /etc/init.d/networking restart

but i have a permission denied when theuser runs /etc/init.d/networking restart :

Reconfiguring network interfaces...ifdown: failed to open statefile /etc/network/run/ifstate: Permission denied
ifup: failed to open statefile /etc/network/run/ifstate: Permission denied
failed.









Sat Dec 11 01:57:08 2010: 9159   TonyLawrence




The user has to run

sudo /etc/init.d/networking restart



Fri Jul 15 01:51:30 2011: 9621   Gora




Hi,
Thanks a lot for the easy to understand article.
I have configured sudo and its working as its suppose to, no problem there.
however, I am getting a small glitch (weird actually) when I do "visudo -s sudoers".
when I try to save the file visudo returns with " what now?" though visudo doesn't throw any format errors along with it, just "what now" as if its the default option. I do a "Q" to save the file and sudo works perfectly afterwards, but as per my understanding visudo should not return with "what now?" if there aren't any errors and should save the file directly.
Any help will be much appreciated.



Thu Jul 28 01:44:05 2011: 9654   rahul




Hi, i have a particular user with sudo permissions, but enable to find his entry in visudo file. so how did he got that sudo effects and were can i disable his sudo entry. plz respond......

Thx in advance...........



Thu Jul 28 10:18:44 2011: 9655   TonyLawrence




Why do you say he has sudo permissions?



Tue Aug 16 12:27:43 2011: 9715   Will




Hi, I'm new to sudo so please excuse my pundit question. Can I, with sudo, enable a user to run all commands in an environment but only on specific directories. An example, we have websphere admins who need root access to do their software deployments. The WAS application/install/deployments all resides on a non-OS filesystem/directory. The users however need to be able to use rm/chmod/vi/ln commands and much more within this directory. Now, what I know I can do, is to list all hundred commands to be used, or is there an easier way? In short, I want the users to be able to do what they want anywhere on the system but systems directories and files.
TX



Tue Aug 16 12:44:09 2011: 9716   TonyLawrence




No, you'd be better to give specific permissions to those directories. See (link)



Wed Aug 31 09:17:30 2011: 9757   Michel




Thanks Tony for this nice article !

One question more :
I access a program via a web page who ask for a root account in order to run.
I log first to the server and then sudo but when I access the web page, my sudo user can't log.
Is there a way to log as a sudo user on the web page and make the program run ?

Regards,
Michel



Tue Oct 4 12:35:29 2011: 9899   anonymous




I have a command like xm console <hostname> I added xm console to the sudoers files and at the prompt I am typing xm console <actual-hostname>.
It is not executing the command.Can you please tell why this could be happening.



Tue Oct 4 12:47:57 2011: 9900   TonyLawrence




No. Just add "xm".



Tue Oct 4 17:16:11 2011: 9901   TonyLawrence




If you want something that only does "xm console", you need to create another command that does that and passes the other argument and add THAT to sudoers.



Fri Oct 7 08:50:18 2011: 9930   anonymous




Hi ,
Can you please explain with an example.What I understand is create a alais for the xm console command and they pass the hostname from the command line is that right.



Fri Oct 7 13:21:14 2011: 9938   TonyLawrence




No, you don't want an alias. You want an actual script or executable.



Wed Oct 19 13:08:15 2011: 10044   olemp




hi, i prevented the "su" command from sudo users. i want prevent the sudo user to become root or any other user. but with "sudo vi" command user is able to execute shell command and with "!bash" command user become root...how can i prevent this (without restricting the vi editor).thank you...



Wed Oct 19 14:19:50 2011: 10045   TonyLawrence




See the manual and search for "shell escapes".

(link) for example (though you have 'info sudoers' also)



Fri Oct 21 11:09:53 2011: 10052   IMRAN




Hi ,
i installed sudo in Sun blade T6320 server & also edit visudo file for user entry and syslog.conf file for log checking .But i am unable to see sudo log(What command were run by sudo user)...........



Fri Oct 21 11:20:02 2011: 10053   TonyLawrence




Did you remember to modify syslog.conf (sudo logs to local2 by default, see your sample.syslog.conf file in your sudo fules)?

You'd need to signal syslogd after that, too.






Mon Oct 31 17:40:50 2011: 10101   MarcCahill




If you sudo a job as another user my_target_user, and the initial unix session you invoked the sudo command terminates, does the script you submit under the target user terminates too ? or will it run under its own sheell under the target user you sudo to ?



Mon Oct 31 17:56:42 2011: 10102   TonyLawrence




Use "nohup".



Mon Nov 21 10:27:05 2011: 10212   IMRAN




hi ,
After restart the service(svcadm restart system-log)and editing syslog.conf file.I am able to see the log(User login details) in /var/log/sudo.log
But unable to see the what's command fired by perticular user...






Mon Nov 21 10:43:25 2011: 10214   TonyLawrence




You've missed something or didn't use visudo..



Mon Jan 2 13:05:10 2012: 10430   anonymous




Is there a way to get the actual user name using the sudo user name ?



Mon Jan 2 13:21:12 2012: 10431   TonyLawrence




Did you read the section on logging? The name appears in the logs.



Tue Jan 3 06:23:36 2012: 10436   anonymous




I am not the admin and will not know anything about the logs(location) in sudoer file. Apart from logs, is there any other way to get the actual user from sudo user name ?



Tue Jan 3 11:43:33 2012: 10438   TonyLawrence




You are not making sense. If you aren't an administrative user, of course you have no access to what other people did.







Thu Jan 26 09:30:53 2012: 10506   anonymous




Hi we have the environment where we have shell access through sudo which we dont change.here I have a query how we can audit the logs for the sudo user.
so we want after doing sudo what user do , evertying should be logged .
for example:
$ sudo bash
now i am as root so what ever I do how we can get it logged
Please suggest how we can get this possible



Thu Jan 26 14:48:40 2012: 10509   anonymous




Did you read the article or just jump down to ask your question??



Fri Mar 23 10:01:55 2012: 10767   Kuldeep




Hi,
I wanted to restrit the user to run the init command but i want to give them permission the can copy and delete the file with the help of sudo. pls help me regarding same.
Thanks in advance.



Fri Mar 23 10:46:26 2012: 10769   TonyLawrence




I'm sorry - I don't understand what you want.



Mon Apr 23 20:45:19 2012: 10883   anonymous




I give you props for answering all of the questions, and I like the comment to anonymous about (s)he should not be using unix. Great comment.
Just imagine if everyone actually read the article first before asking questions, you would have nothing to do other then to receive praise ;)



Mon May 14 13:33:34 2012: 10953   kashif




Good Article,
I have a question. Is there any possibility that the user can only access sudo nano /etc/myserver.conf and must not edit files like sudo nano /etc/passwd, sudo nano /etc/myserver.conf, etc.
Thanks



Mon May 14 15:54:52 2012: 10954   TonyLawrence




Not easily. You'd need to have an editor that doesn't allow you to read or write any other file. You could edit source to make such a thing, of course.



Mon Jul 23 06:41:28 2012: 11213   sri




Lawrence, could u pls tell me how to disable access for more than 1 user at a time in /etc/sudoers file, I know by manually edit the file(visudo) and comment out (#)..

Is there any way to do by scripting, since I have to disable access for more than 20 users, It is eating more time with manual edit of file and do comment out every time.



thanks in advance...



Mon Jul 23 10:59:22 2012: 11214   TonyLawrence




Yes, you could do it with a script. No, I'm not going to write such a script for you.







Thu Aug 2 09:39:20 2012: 11226   Prashant




Want to restrict chmod & chown command to run by user using SUDO permission in a specific directory only?

I can run these command by SUDO system-wide, but on server I want to give access to these commands in /var/www/html directory only.

How to restrict to run commands in specific directory through SUDO?






Thu Aug 2 09:53:36 2012: 11227   TonyLawrence




"restrict to run commands in specific directory"

Can't be done with just sudo. Difficult to do, period. You'd need to replace the chown/chmod commands and let the user run THOSE with sudo and writing those to cover every case will NOT be easy.



Fri Sep 21 15:17:07 2012: 11341   AM




I just had to do my last SCO Openserver migration, we need to have certain acocunts have the ability to run commands using asroot. I have it setup, but when I login as myself and not as root I tried to run a 'w' cmd. The only users that showed up as logged in were me. When I do it as root, no big deal. Thoughts?

Thanks in advance!



Fri Sep 21 19:58:23 2012: 11343   TonyLawrence




asroot and sudo are wary of privilege escalation.. or maybe you have wrong perms on the wtmp files.



Fri Oct 19 15:25:50 2012: 11390   anonymous




This article is great for configuring sudo. But show an actual example of using sudo please.



Fri Oct 19 15:42:25 2012: 11391   TonyLawrence




There are several examples in the article - quite a few, in fact. Did you actually READ it?



Fri Nov 30 14:17:16 2012: 11449   Ritendra




Great article, keeping in mind the complicated nature of sudo setup per se. Nice explanation too over how the changes will behave.



Tue Mar 5 16:27:51 2013: 11930   lou




hi there, just want to say thanks for this article and all the comments too. I think i'm nearly there in solving this. I'm trying to rsync apache logs from a remote to a local server and in my sudoers file have this
loguser ALL= /usr/bin/rsync, /usr/bin/tail, /var/log/httpd
but i also need to allow loguser to change directory and when I run my rsync file i get this:-
sending incremental file list
rsync: change_dir "/var/log/httpd" failed: Permission denied (13)

What do i need to add to allow 'change_dir' for loguser? Hope you can advise. Thanks Lou



Thu Aug 15 01:33:33 2013: 12262   anonymous




Hello I installed minecraft using sudo thinking that was how things were installed (im new to linux). Well now im trying to uninstall it but it has a little lock on the minecraft icon and I cannot uninstall it. I read somewhere else that I had to go to properties then permissions and change what I was allowed to do, but I cant change anything and at the bottom of the window it says "You are not the owner, so you cannot change these permissions" please help.



Thu Aug 15 09:51:20 2013: 12263   TonyLawrence




Did you try removing it with sudo?



Fri Aug 16 16:43:39 2013: 12264   TonyLawrence




Lou - I was sure I had answered your question earlier, but I see not.

I think that you are sudo'd on one side, but not the other.. the sudo does not pass through to the other rsync; you only have the perms of the rsync account you used.



Sat Feb 22 08:40:46 2014: 12421   Karn




This arctical Simply Great!

One Question Lawrence , Can we read the setuid or Binary Files by any means ?
-Karn



Sat Feb 22 11:31:14 2014: 12422   TonyLawrence




You can see the setuid bits with "ls -l". The "file" command can help you determine whether a file is text or not.



Thu Dec 18 17:08:47 2014: 12588   azam




Hi, I have quick question I am trying to setup a script to find the sudo privileges for all users on a server, I am facing an issue with command "sudo -l -U username" on specifically sudo version 1.6xx (the command works fine with sudo versions 1.8x or later). Not sure what other options we have to get the sudo privileges for other users, please share if I can use some other flags on all sudo versions. Thanks in advance!!

Sudo version 1.6.7p5
server1# sudo -l -U amohamme
sudo: Illegal option -U
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>

server2:/# sudo -V |head -1
Sudo version 1.8.9p5
server2:/# sudo -l -U amohamme
User amohamme may run the following commands on txcomregappqa51:
(ALL) NOPASSWD: /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root








Thu Dec 18 18:56:40 2014: 12589   TonyLawrence




It's not a quick question for me - I have no idea about version specific bugs. Someone else reading this might know, though I bet chances are slim.



Mon Feb 2 11:32:19 2015: 12607   Dinesh




$ sudo -l
Matching Defaults entries for dineshr on this host:
logfile=/var/log/sudo.log, syslog=auth, syslog_badpri=notice, syslog_goodpri=notice

User dineshr may run the following commands on this host:
(root) NOPASSWD: /bin/su - dedw_adm

I'm new to Unix. How could i use this sudo access further for informatica related stuffs.



Mon Feb 2 14:03:22 2015: 12608   TonyLawrence




I have no idea what "informatica related stuffs" means. Read the article.

------------------------

---

Printer Friendly Version

Site map     |      Disclaimer

Using sudo Copyright © February 2002 Tony Lawrence

Related Articles

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version