visudo

linux

What is the purpose of the sudo facility?

The sudo facility allows specified users to run specific command as root without having to know the root password.

What is the purpose of the sudoer?

sudoers allows root to give other users on the system ability to gain root access.

What caution should we take when giving users ability to run some commands as root?

  1. We should not give the users access to facilities that provide shell escape capability. This include games and editors.

Sample configuration file

# /etc/sudoers file
# This file MUST be edited with the 'visudo' command as root.

# Host alias specification
User_Alias PROG = khai, frank, bob

# Cmnd alias specification
Defaults timestamp_timeout=3600
Defaults logfile = /var/log/sudolog

# User privileges specification
root ALL=(ALL) ALL
nagios ALL = NOPASSWD: /code/bin/maintenance.pl

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

PROG ALL=(ALL) ALL
khai ALL = NOPASSWD: /usr/bin/send_apache_log.pl, /usr/bin/send_mysql_log.pl
robert ALL = NOPASSWD: /bin/chmod
# Host specification:
Host_Alias    PHYSICS=hamlet, ophelia, laertes
Host_Alias    CHEM=duncan, puck, brutus

# Command alias specification
Cmnd_Alias    MOUNT=/sbin/mount, /sbin/umount
Cmnd_Alias    SHUTDOWN=/sbin/shutdown

# User specification
root    ALL=ALL
chavez    PHYSICS=MOUNT:CHEM=ALL
harvey    ALL=SHUTDOWN:achilles=/sbin/swapon

How can we bypass the password for starting a service?

Create a file inside the /etc/sudoers.d folder. The name of this file can be anything. The content of this file should be something like:

USERNAME  ALL=NOPASSWD:/usr/sbin/service postgresql  start

In the above code, replace USERNAME with your username. And then in your .bashrc file, you can automatically start the service with:

sudo service postgresql start

Spaces in this file are probably not significant, but do check if you run into some problem (probably should match the exact command)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License