BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Big Scary Daemons Sudo Aliases and Exclusions

by Michael W. Lucas

Last time, we looked at the basic sudo(8) setup. The hardest part of using sudo is configuring its permissions file, sudoers. As you can imagine, once you have several different machines with multiple administrators all with different levels of privilege, sudoers quickly gets very complicated. Aliases can simplify sudo maintenance and greatly clean up your sudo configuration.

Basically, an alias is a group of users, hosts, or commands. When a user's duties change, you can just add them to the appropriate user alias to give them correct sudo privileges. If you want your system operators to be able to back up the system, but no longer restore data, you can remove the restore commands from their command alias. When you install a new server, adding the server name to the proper alias will allow you to instantly give system administrators the proper permissions to do their jobs.

An alias must be defined before it can appear in the sudoers file. For that reason, aliases generally appear at the top of the file. Each alias entry has a label saying what sort of alias it is, a label for the alias, and a list of the members of that alias.

User aliases are groups of users, and are labeled with the string User_Alias. They contain a list of users that are in that alias.

User_Alias   DNSADMINS = chris,mwlucas

The user alias DNSADMINS contains two users, mwlucas and chris.

A Runas alias is a special type of user alias. This lists users that other users can run commands as. Many nameservers can be run as the user "named." The DNS administrator might need to be able to run commands as that user, and you might have a Runas alias for that. Many database applications run as their own special user. In many cases, a system administrator responsible for an application would also want to be able to run system backups as the user "operator." Or, you could just create a single Runas alias to group these commands. Runas aliases are labeled with Runas_Alias.

Runas_Alias   APPADMIN = named,dbuser,operator

A host alias is just a list of hosts. They're labeled with the string Host_Alias. A host alias can be defined in terms of hostnames, IP addresses, or network blocks. (Remember, if you're using hostnames your sudo configuration could be vulnerable to DNS problems!) Here are examples of all three.

Host_Alias   DNSSERVERS = dns1,dns2,dns3

A command alias is a list of commands. They're labeled with the string Cmnd_Alias. Here, we have an alias that includes all the commands necessary to back up to tape, or restore the system from backup.

Cmnd_Alias   BACKUPS = /bin/mt,/sbin/restore,/sbin/dump

You might have a command alias that includes all the commands in a particular directory. Suppose we have a custom application that runs as a particular user, and places all of its commands in the app users' home directory. Rather than list all the commands, can just list directory and use a wildcard to include everything in the directory.

Cmnd_Alias   DBCOMMANDS = /usr/home/dbuser/bin/*

To use an alias, just put the alias name in the rule where you would normally list the user, command, or hostname. We've previously defined a user alias DNSADMINS. The users listed in the DNSADMINS alias get to run any commands at all on all of our servers.


Let's suppose that our user Phil has to manage an application that runs as a particular user. He can run any command on the system as this application user. We defined a Runas alias in the last section for the user alias APPADMIN, and an alias for commands needed to run the application, DBCOMMANDS.


As the application administrator, Phil might also have to run backups. We have already given the APPOWNER Runas alias operator privileges, and we have a separate command alias for backup commands. We can combine them all like this.


This is much simpler to read than what this rule expands to.

phil   ALL = (dbuser,operator)/usr/home/dbuser/bin/*,\
     (dbuser,operator)/bin/mt, (dbuser,operator)/sbin/restore,\

Some of the permissions granted by sudo in this case are unnecessary -- having the database user Runas alias is not necessary for running backups. Still, it's far tighter than just giving Phil the root password! You can also define rules to restrict your users as tightly as you desire.

Pages: 1, 2

Next Pagearrow

Sponsored by: