Differences between revisions 7 and 8
Revision 7 as of 2009-03-16 03:32:27
Size: 3281
Editor: anonymous
Comment: converted to 1.6 markup
Revision 8 as of 2009-05-24 18:34:06
Size: 4126
Editor: FranklinPiat
Comment: Major rewrite
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
Sudo is a program designed to allow a sysadmin to give limited [[root]] privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. ~+Sudo+~ is a program designed to allow a sysadmin to allow selected users to execute some commands as [[root]]. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log root activities.
Line 6: Line 6:
 * DebPkg:sudo {{{{#!wiki tip
== Sudo isn't enabled by default on Debian ==
Strictly speaking, {{{sudo}}} is installed and enabled, but no rights are granted by default in Debian (as opposed to some others distributions).
Line 8: Line 10:
== Example ==
{{{
'''How to execute a command as root: (in a default Debian installation)'''
 * When you installed the system, you chose a password for the {{{root}}} account.
 * Gnome prompts for that password (for the ''Administrative account'') when you want to start that would run as root.
 * To execute a command as {{{root}}}, open a terminal as root ({{{Applications > Accessories > Root Terminal}}}), or run {{{su}}} from a regular terminal.
}}}}

Now, if you want to allow certain users to execute certain programs, here's a a quick example (for more information, read the fine manual).

~-{{{#!plain
Line 16: Line 25:
# Example from http://www.lea-linux.org/cached/index/Admin-admin_env-sudo.html
Defaults env_reset

# Host alias specification
User_Alias MYADMINS = jdoe
Line 19: Line 32:
# ------------------------
User_Alias PPPUSERS = fred, bibi, jice, serge
User_Alias HALTUSERS = fred, bibi
User_Alias ROOT_FRIENDS = jice, serge, fred

# Host alias specification
# ------------------------
Host_Alias ICI = localhost, 192.168.1.1, ma.machine.fr
Host_Alias LABAS = www.tuxfamily.org, talk.revolink.com, 233.12.66.4
Host_Alias WWW = www*, mail*, pop*, *fr

# Runas alias specification
# -------------------------
Runsas_Alias USERPPP = pppuser, serialuser
Line 35: Line 34:
# ------------------------
Cmnd_Alias STOPPC = /sbin/halt, /sbin/reboot, !/sbin/shutdown -*, /sbin/shutdown -r, \
                       /sbin/shutdown -h
Cmnd_Alias PPPCMD = /etc/ppp/scripts/pppconnect, /etc/ppp/scripts/pppdisconnect
Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
Cmnd_Alias PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude
Line 41: Line 38:
# ----------------------------
fred localhost = (ALL) ALL, (root) !ALL
PPPUSERS MONRESEAU = (USERPPP) NOPASSWD: /sbin/pppd, PPPCMD
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+secretaires LOCALE = PRINTING_CMDS, /usr/sbin/adduser [A-z]*
Line 47: Line 39:
# Users listed above (MYADMINS) can run package managers and reboot the system.
MYADMINS ALL = PKGMGMT, SHUTDOWN

# Users in the group wheel can execute any command impersonating any user.
#%wheel ALL= ALL

#Default rule for root.
root ALL=(ALL) ALL
}}}-~

== Troubles and tweaks ==

=== Sorry, user jdoe is not allowed to execute ... ===
A typical session goes like this:
 {{{#!plain
$sudo test

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jdoe:
Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.
Line 49: Line 67:
== Troubles and tweaks == This messages typically means that the user isn't allowed to execute the action.

=== sudoers is read-only ===
Yes, the file {{{/etc/sudoers}}} is set read-only, even for root!

The is because, one __must__ use the command {{{visudo}}} to edit {{{/etc/sudoers}}}.
Line 60: Line 83:
As a result, unless you modify your sudoers file to contain '''Defaults env_reset''', you may experiance problems using sudo like the following: As a result, unless you modify your sudoers file to contain '''Defaults env_reset''', you may experience problems using sudo like the following:
Line 68: Line 91:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342948 Bug: [[DebianBug:342948|#342948]]
Line 75: Line 98:
 * Manpages: [[http://manpages.debian.net/man/5/sudoers|sudoers(5)]], [[http://manpages.debian.net/man/8/sudo|sudo(8)]], [[http://manpages.debian.net/man/8/visudo|visudo(8)]], [[http://manpages.debian.net/man/8/sudoedit|sudoedit(8)]]  * Manpages: [[DebianMan:5/sudoers|sudoers(5)]], [[DebianMan:8/sudo|sudo(8)]], [[DebianMan:8/visudo|visudo(8)]], [[DebianMan:8/sudoedit|sudoedit(8)]]

root


Sudo is a program designed to allow a sysadmin to allow selected users to execute some commands as root. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log root activities.

Sudo isn't enabled by default on Debian

Strictly speaking, sudo is installed and enabled, but no rights are granted by default in Debian (as opposed to some others distributions).

How to execute a command as root: (in a default Debian installation)

  • When you installed the system, you chose a password for the root account.

  • Gnome prompts for that password (for the Administrative account) when you want to start that would run as root.

  • To execute a command as root, open a terminal as root (Applications > Accessories > Root Terminal), or run su from a regular terminal.

Now, if you want to allow certain users to execute certain programs, here's a a quick example (for more information, read the fine manual).

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification
User_Alias      MYADMINS = jdoe

# User alias specification

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
Cmnd_Alias      PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude

# User privilege specification

# Users listed above (MYADMINS) can run package managers and reboot the system.
MYADMINS ALL = PKGMGMT, SHUTDOWN

# Users in the group wheel can execute any command impersonating any user.
#%wheel ALL= ALL

#Default rule for root.
root    ALL=(ALL) ALL

Troubles and tweaks

Sorry, user jdoe is not allowed to execute ...

A typical session goes like this:

  • $sudo test
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for jdoe: 
    Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.

This messages typically means that the user isn't allowed to execute the action.

sudoers is read-only

Yes, the file /etc/sudoers is set read-only, even for root!

The is because, one must use the command visudo to edit /etc/sudoers.

CVE-2005-4158

With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do.

  • sudo (1.6.8p7-1.3) stable-security; urgency=high
    • Non-maintainer upload by the Security Team
    • Reverse the environment semantic by forcing users to maintain a whitelist [env.c, Bug#342948, CVE-2005-4158]

As a result, unless you modify your sudoers file to contain Defaults env_reset, you may experience problems using sudo like the following:

  • E138: Can’t write viminfo file $HOME/.viminfo!
  • dircolors: no SHELL environment variable, and no shell type option given
  • squidview: can't get your home directory, exiting

If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible.

Bug: #342948

PASSWD option not working

sudo has a flag called exempt_group which contains a list of groups for which always NOPASSWD is true and setting PASSWD has no effect. On Debian Systems this list consists of the group sudo.

See also