user alias and command alias with sudo

sudo is a package which will allow privileged users to run commands as other users. This is sort of like assigning users to different groups to give them special permissions to files. However, this can allow users access to specific commands on specific machines, making it a more effective and more organized way of giving special privileges to users.

The /etc/sudoers File

General sudoers file record format –

usernames/group servername = (usernames command can be run as) command

1. Granting All Access to Specific Users

You can grant users tarique and bony full access to all privileged commands, with this sudoers entry.

bonny, tarique ALL=(ALL) ALL

The keyword ALL can mean all usernames, groups, commands and servers

2. Granting Access To Specific Users To Specific Files

This entry allows user tarique and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:

tarique, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

3. Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.

tarique ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

tarique is on the team developing a financial package that runs a program called fsystem as user accounts.From time to time the application fails, requiring “tarque” to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user “accounts.

User tarique is allowed to stop the fsystem process with this command:

sudo -u accounts pkill fsystem

4. Using Aliases in the sudoers File

User aliases are groups of users, and are labeled with the string User_Alias. They contain a list of users that are in that alias.

User_Alias DNSADMINS = tarique,bonny

The user alias DNSADMINS contains two users, tarique and bonny.

A Runas alias is a special type of user alias. This lists users that other users can run commands as

Runas_Alias APPADMIN = named,dbuser,operator

A command alias is a list of commands. They’re labeled with the string Cmnd_Alias. Here, we have an alias that includes all the commands necessary to back up to tape, or restore the system from backup.

Cmnd_Alias BACKUPS = /bin/mt,/sbin/restore,/sbin/dump

To use an alias, just put the alias name in the rule where you would normally list the user, command, or hostname. We’ve previously defined a user alias DNSADMINS. The users listed in the DNSADMINS alias get to run any commands at all on all of our servers.

DNSADMINS ALL = (ALL) ALL

or want to allow particular commands with particular users on all servers

DNSADMINS ALL = (APPADMIN) BACKUPS

Let’s suppose that user tarique has to manage an application that runs as a particular user. He can run any command on the system as this application user. We defined a Runas alias in the above for the user alias APPADMIN, and an alias for commands needed to run the application, DBCOMMANDS.

tarique ALL = (APPADMIN) DBCOMMANDS

As the application administrator, tarique might also have to run backups. We have already given the APPOWNER Runas alias operator privileges, and we have a separate command alias for backup commands. We can combine them all like this.

tarique ALL = (APPOWNER) DBCOMMANDS, (APPOWNER)BACKUPS

This is much simpler to read than what this rule expands to.

tarique ALL = (dbuser,operator)/usr/home/dbuser/bin/*,\
(dbuser,operator)/bin/mt, (dbuser,operator)/sbin/restore,\
(dbuser,operator)/sbin/dump

Advertisements

2 Responses to “user alias and command alias with sudo”

  1. Gregg Leventhal Says:

    Nice article, it covers a good deal about aliases, which is what I wanted to read about.

  2. Alex Says:

    At 2. you write: Notice how the trailing slash (/) is required to specify a directory location:

    And in the example below; the directory /sbin/ is shown with a trailing /, but the directory /usr/sbin is not. Typo?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: