BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Eliminating Root with Sudo
Pages: 1, 2, 3

If visudo finds an error when you exit the editor, it will print out the line number and ask you what you want to do.

# visudo
>>> sudoers file: syntax error, line 44 <<<
What now?

Here, we've made an error on line 44. You have three choices: edit the file again, quit without saving any of the changes you made, or forcing visudo to write the sudoers file you created.

If you press e, visudo will send you back to the editor. You can go to the line it complained about, and try to find your error.

If you enter x, visudo will quit and revert the configuration file to what it was before you started editing. Your changes will be lost, but that may be all right. It's better to have the old, working configuration, than have a new, non-functional configuration.

Entering Q forces visudo to accept the file, syntax error and all. If your configuration file has an error, sudo will not run. Essentially, you're telling visudo to break sudo until such time as you log in as root to fix the problem. This is almost certainly not what you want to do!

The sudoers file tells sudo who may run which commands as which users. OpenBSD stores the sudoers file as /etc/sudoers, FreeBSD stores it as /usr/local/etc/sudoers. Never edit this file directly, even if you think you know exactly what change you want to make; always use visudo(8).

The sudo permissions syntax can be confusing until you understand it. Getting everything correct can be difficult the first time. Once you understand how sudo sets things up, however, it's very quick and easy.

The various sample sudoers files you'll find on the Internet frequently look quite complicated and difficult to understand, as they demonstrate all the nifty things you can do with sudo. The basic syntax is very simple. Each rule entry in sudoers has the following format.

username 	host = command

The username is the username of the user who may execute the command.

host is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.

The command field lists the commands this rule applies to. You must have a full path to each command name, or sudo will not recognize it! (You wouldn't want people to be able to adjust their $PATH variable to access renamed versions of commands, now would you?)

sudo defaults to not allowing anything to happen. To let a user run a command, you must create a rule that gives that user permission on that host to run that command. If any of the three fields don't match, the user cannot run the command.

You can use the ALL keyword in any of these fields to match all possible options. For example, suppose I trust user "chris" to run absolutely any command as root, on any system.

chris		ALL = ALL

Giving a junior system administrator total control of one of my systems isn't very likely. As senior system administrator, I should know what commands Chris needs to run to do his job. Suppose Chris is in charge of the nameserver portion of this system. We control actual editing of the zone files with group permissions, but that won't help when the nameserver must be started, reloaded, or stopped. Here, I'll give him permission to run just the name daemon controller program, ndc(8).

chris		ALL = /usr/sbin/ndc

If I'm sharing this file across several machines, it's quite probable that many of those machines are not even running a nameserver program. Here, I'll restrict which machine Chris may run this program on to the server called "dns1."

chris		dns1 = /usr/sbin/ndc

On the other hand, Chris is the administrator of the email server "mail". This server is his responsibility, and he can run any commands on it whatsoever. I can set entirely different permissions for him on the mail server, and yet use the same sudoers file on both the systems.

chris   dns1 = /usr/sbin/ndc
chris   mail = ALL

You can specify multiple entries in a single field by separating them with commas. Here, I'd like Chris to be able to mount floppy disks with mount(8), as well as control the nameserver.

chris		dns1 = /usr/sbin/ndc, /bin/mount

You can tell sudoers that a user can run commands as a particular user, instead of root, by putting the username in parenthesis before a command. For example, suppose we have our nameserver set to run as the user "named" and all commands to control the server must be run as that user.

chris	dns1 = (named) /usr/sbin/ndc

Every entry in /etc/sudoers must be on a single line. This can make the lines very long. If you have a long list of alias members or rules, you can skip to another line by using the \ character at the end of each incomplete line.

chris	server1	= /sbin/fdisk,/sbin/fsck,/sbin/kldload,\

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: