What is Sudo? (Switch User and do)

Bash Liste Des Attaques Ovh

About

sudo is an command utility that:

  • su: switch user su
  • and do: execute a command

In other words, it executes a command as another user. (ie it's a proxy authentication utility)

Authorization

It determines who is an authorized user by consulting the sudoers configuration files

Example

sudo -E -i -H -u UserOtherThanRoot

where:

  • - H: sets the HOME environment variable to the homedir of the target user
  • - u: run the specified command as a user other than root
  • -E: takes the environment of the actual user
  • -i: run as a login shell. Reading the user environment files.

Configuration Files

sudoers syntax

The sudoers file is composed of two types of entries:

When multiple entries match for a user, they are applied in order

sudoers

Alias

aliases are basically variables that can be user in the user_specification

User_Alias
User_Alias ADMINS = jsmith, mikem
User_Alias WEBMASTERS = will, wendy, wim
RunAsAlias

Runas_Alias - determines the user and/or the group that a command may be run as.

Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper

Example with a user_specification

dgb boulder = (ADMINGRP) /bin/ls, (root) /bin/kill, /usr/bin/lprm

The user dgb may run on the host boulder:

  • /bin/ls as ADMINGRP,
  • /bin/kill, and /usr/bin/lprm as root

ie

sudo -u oper /bin/ls
sudo -u adm /bin/ls
sudo /bin/kill
Host Alias
  • Host_Alias
Host_Alias SERVERS = master, mail, www, ns
Command alias

Cmnd_Alias: A command alias defines one or more glob expressions that need to match the command entered to allow it to run.

The alis name must be in uppercase

Example:

  • The kill command with any arguments
Cmnd_Alias KILL = /usr/bin/kill*
  • All shells
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\

User specification

User specifications specify who may run what.

Syntax:

user	MACHINE=COMMANDS

user MACHINE=(AS) TAGS COMMAND

More specifically in regular expression EBNF (see the sudoers and search for the section User specification)

Example:

%wheel	ALL=(ALL) NOPASSWD: ALL

every user in the group wheel may run:

  • on any machine ALL (machine)
  • as any user (ALL) (run as)
  • without any password NOPASSWD: (tag)
  • any command ANY (command)

sudoers files

/etc/sudoers

The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.

Open the sudoers file

sudo visudo

/etc/sudoers.d/

The last line of the /etc/sudoers files include others configuration that can be added in the directory /etc/sudoers.d/

The last line is not a comment. A comment in the sudoers file as a space after the hash tag

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Example in Azure they will add the file waagent

sshuser ALL=(ALL) NOPASSWD: ALL

/etc/sudo.conf

The sudo configuration is in the file /etc/sudo.conf

sudo.conf

Management

Language of the configuration file

wheel / sudo admin group

If the wheel line is uncommented, you got an admin group.

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL) ALL

Any user in the group wheel can run any command on any host as any user.

Example:

cat /etc/group | grep wheel
wheel:x:27:testuser,sshuser

Allow a user to run a command

In a sudoers file add the following rules:

userName ALL=(ALL) NOPASSWD: /full/path/to/command
# or with the alias command named ALIAS_CMD
userName ALL=(ALL) NOPASSWD: ALIAS_CMD
# or
userName ALL=(ALL) NOPASSWD: /full/path/to/command ARG1 ARG2

Example allow the powercenter user to start and stop its services

powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa start
powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa stop

Disable password prompt

Disable password prompt for all command.

  • Open the sudoers file.
sudo visudo
  • Append the following line at the bottom of the sudoers file:
<username> ALL=NOPASSWD: ALL

  • Save the file and exit the editor.
  • Log out and log in to apply the changes.

Test if allowed

run sudo with the -l or -v flags

Example with the su command

sudo -l su
[sudo] password for gerard:
/bin/su

If a user who is not listed in the sudoers file tries to run a command via sudo without the -l or -v flags, mail is sent to the proper authorities, as defined at configure time or the sudoers file (defaults to root).

Documentation / Reference





Discover More
Card Puncher Data Processing
Ansible - Become (privilege escalation)

become is an interface where plugins are implemented to give more privilege to the connected user (ansible_user) for escalation authentication...
Cluster Config Bdm
BDM - Installation in Azure

Open the node Domain > ClusterConfigurations Right Click > Import With Cluster Connection (if with file convention: , such as Hive_ccMapR.) Information from the cluster (needed for during the configuration...
Docker Wsl Distro Folders File Explorer
Docker and WSL

Both your own WSL 2 distro and docker-desktop run on the same utility VM. They share the same Kernel, VFS cache etc. They just run in separate namespaces so that they have the illusion of running totally...
Pam Auth Update
Linux - PAM (Pluggable Authentication Modules)

Pluggable Authentication Modules The Syntax of each rule is a space separated collection of tokens, the first three being...
Linux - Service client

service is the client tool of the sysvinit system. systemctl client service where: - The script must be located in in /etc/init.d The current working directory is set to /. Most environment...
Su
Linux - su command (switch user)

The su command (switch user) is a part of the user management. To switch to another user, use the su command. This is most commonly used to switch to the root account. su run a shell with substitute...
Bash Liste Des Attaques Ovh
Sudo - How to allow a user to manage a service ?

How to allow a user to manage a service with sudo sudo is a program that defines rules over what a user may run as command. It allows to add sudoer file (configruation file) into the directory /etc/sudoers.d...
Wsl2 Windows Terminal
WSL2 - A getting started guide - How to enable and use Linux Subsystem WSL2 on Windows

This page will help you configure, install and get started with WSL2
Bash Liste Des Attaques Ovh
What is a Login Shell?

A login shell executes: the login script (behaves as if the user were login) the logout script (at the end of the session) A login shell is a shell: whose first character of argument zero ($0)...



Share this page:
Follow us:
Task Runner