For a sysadmin, allowing access to sudo is nerve-wracking, particularly if you work in an environment where you seem to be the only one concerned about security, where passwordless accounts are abundant and all users are made administrators for ease of access. This is most common in OS X clusters, as Linux does not permit empty passwords by default. A properly configured sudoers file is very important.
This assumes you have already sorted your users into appropriate groups, such as removing guests from the 'wheel' group.
Defining command and user aliases
The first section to edit will be # Cmnd alias specification. You can define groups of commands such as:
You can also append options to the commands; for example, creating an alias for /usr/bin/su - Guest, meaning that it is permissible to use sudo su - Guest, but not sudo su - some-other-user.
Cmnd_Alias SYS_COMMANDS = /sbin/unmount, /sbin/mount
Cmnd_Alias SERVICES = /bin/ls, /bin/cat, /sbin/halt, /sbin/reboot,
/sbin/shutdown
Cmnd_Alias ADMIN_TOOLS = /usr/bin/passwd, /bin/chmod, /bin/chown, /bin/chgrp
Cmnd_Alias EDITING = /usr/bin/vi
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted,
/sbin/partprobe
User aliases operate using the same syntax:
User_Alias GUESTS = guest, user, bob
User_Alias ADMINS = joe, aliceLimiting and denying commands to users and groupsNext, edit the # User privilege specification section. A % denotes a group, while a string without indicates a user:
# root and 'wheel' group users can run all commands as long as they authenticateDefining default settings
with their passwords
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# only bob can use storage tools
bob ALL = STORAGE
# ADMINS can use chmod, chown, chgrp and passwd, but they can't change root's password
%ADMINS ALL = ADMIN_TOOLS !/usr/bin/passwd root
# 'admin' group users can use all commands in the EDITING alias with a password, and
all commands in SYS_COMMANDS and SERVICES without authenticating; but can't use any
other commands
%admin ALL = EDITING, NOPASSWD:SYS_COMMANDS,SERVICES
# Guest users, who don't have passwords, can only mount and unmount drives
%guest ALL = NOPASSWD:SYS_COMMANDS
# joe can authenticate to use any command in /bin except for chmod, chown, chgrp,
chown and vi, but he can use /bin/find without authenticating (there is no real
usefulness to NOPASSWD in this case)
joe ALL = /bin, NOPASSWD:/bin/find, !/bin/chmod, !/bin/chgrp,
!/bin/chown, !EDITING
# alice can su to any user except for root, but without flags (su - user is not allowed)
alice ALL = /usr/bin/su [!-]*, !/usr/bin/su *root*
# everybody needs to be able to kill a program when it hangs without authenticating
ALL ALL = NOPASSWD:/bin/kill
A few useful Defaults specifications:
# only allow one failed password attempt
Defaults passwd_tries += "1"
# the message when a user types an incorrect password
Defaults badpass_message += "And just what do you think you're doing, Dave?"
# this prevents sudo from being used in a script; the user must be logged in
Defaults requiretty
Posts
2 comments:
You have probably found the answer to this already; I always intended to come back to this blog, but never had the time to maintain it.
In case you haven't found the answer; I've seen that error before on a machine where 1) I was using a recently upgraded machine which had an /etc/sudoers.rpmnew file, and the errors disappeared after merging the two files; and 2) in one case where I was using non-standard groups; I had invented my own group names instead of using the system ones.
In either case, in my experience they were mere warnings and caused no trouble. They also don't seem to appear using straight `vi` or `nano`, but only with `visudo` in particular.
nice
Post a Comment