Ah, sudo
, the bane (and the best friend!) of sysadmins everywhere.
Let's face it: sudo
is a great way to allow normal users to perform just a very very tiny slice of system operations. But it's also very tough to configure correctly.
First of all, a word of warning: always use the visudo
command to edit the /etc/sudoers
configuration file. While not perfect, visudo
at least provides a few checks that can catch problems in the configuration.
Now, another way to check a user has been correctly configured is to use the -l -U
options of sudo
:
root# sudo -l -U vega Matching Defaults entries for vega on this host: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User vega may run the following commands on this host: root#
OK, what's wrong? User vega
has no commands displayed, following the message User vega may run the following commands on this host:
. And, of course, commands are configured for this user!
What is even more scary is that you cannot even try to use sudo with this user!
root# su - vega vega$ sudo /mdev/reset_env Sorry, user vega may not run sudo on localhost. vega$
Oh boy... Actually, this is fairly simple to solve: just add the proper hostname
in the sudo configuration. Here, I have added it to the "Alias" named MACHINE
in /etc/sudoers
:
root# hostname galactus.mdev.net root# grep MACHINE /etc/sudoers Host_Alias MACHINE = galactus.mdev.net, localhost XVEGA MACHINE = (root) NOPASSWD: PURGE
Let's detail this a little bit:
hostname
command, and we get: galactus.mdev.net
.visudo
, that name has been added to the MACHINE
alias (actually Host_Alias
)in /etc/sudoers
.XVEGA
contains:XVEGA
user alias,MACHINE
alias,(root)
which is the user executing the commands,NOPASSWD
to allow all users defined in XVEGA
to execute commands without entering a password,PURGE
which is the alias for all the commands allowed.In other words, you should always define the following aliases in /etc/sudoers
:
root# grep _Alias /etc/sudoers | grep -v ^# Host_Alias MACHINE = galactus.mdev.net, localhost User_Alias XVEGA = john, patrick, peggy, vega Cmnd_Alias PURGE = /mdev/reset_env, /mdev/deploy_mdev.sh, /etc/init.d/mdev3
In the example shown above, we therefore have 4 users (John, Patrick, Peggy and "Vega") which can run 3 commands on the host galactus
.
And the command at the beginning is now working correctly:
root# sudo -l -U vega Matching Defaults entries for vega on this host: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User vega may run the following commands on this host: (root) NOPASSWD: /mdev/reset_env, /mdev/deploy_mdev.sh, /etc/init.d/mdev3
Much better - I hope this helps!