Sudo example configuration
bruce.dubbs at gmail.com
Tue Sep 29 22:45:47 PDT 2009
DJ Lucas wrote:
> On 09/29/2009 10:46 PM, Bruce Dubbs wrote:
>> DJ Lucas wrote:
>>> Anybody have any objection to providing a sudoers group and adding more
>>> secure/common example to the sudoers file? Something to the effect of...
>>> groupadd -g<##> sudoers&&
>>> echo -e "%sudoers\tALL=(ALL)\tALL">> /etc/sudoers&&
>>> usermod -a -G sudoers<your user name>
>>> ...instead of the current admin user with no password example?
>> I really don't have an objection, but what we have now is just as easy. The
>> superuser just needs to run visudo and add a name to the ADMIN user alias.
>> Is that really any harder than adding a user to a group.
> Dang it, I knew I was gonna have to read the man page! :-) No...I was
> going more for what is a common use case today...but I suppose that kind
> of icks what learning can be done by reading the manual page. For our
> purposes, we could get the intended result from:
> <username> <$hostname>=(ALL) NOPASSWD:ALL
>> I don't like tabs in configuration files (or source code).
>> The (ALL) really doesn't apply to many users any more.
> I'm not sure if you confused the positions, or if these were two
> separate thoughts.
Two separate thoughts. You had \t in the echo.
> I'll separate, but answer as if confused/transposed
> for anybody who reads, as that's how I understood your comments here at
> first. The '(ALL)' allows the user to choose all users to run the
> command as...it could also be any previously defined user alias or a
> valid user name as well.
I did not remember correctly. What we have is:
user hostlist = (userlist) commandlist
* user is the name of the user or group to which this rule applies
* hostlist is a list of hosts this rule applies to
* userlist is a list of users that this rule can be run as. and must be
enclosed in ( )
* commandlist is a list of commands that this rule states can be executed
The userlist token is optional – if excluded, it defaults to root
I had swapped userlist and hostlist in my memory. ALL and (ALL) are a bit
> But, yes I agree, very few people lock down commands to specific users
> anymore, and just run everything that needs elevated privileges as the
> superuser and change perms if needed when done. I'm guilty as well...an
> it is because of relaxed sudoers files. ;-)
>> I'm not even sure how
>> I'd use sudo to run something on another host.
> You can't directly (at least not that I know of), it is intended for
> shared sudoers files (or included sudoers files) across the network.
OK. I sorta see. The sudoer file is in /etc which is never shared AFAIK, but
if the sudoer file includes a shared file, then it could be appropriate.
> See the example above 'ALL' before the equal sign just lets it match
> unconditionally, any host. 'ALL' always matches unconditionally and is
> actually not really security conscious IMO, but su is not easily
> scritped, so I can justify it for my own use. ;-)
>> The sudoers file can be very complex or very easy (like the current example).
>> I'd prefer to leave it as it is.
> The second point of my original post is that I severely dislike the
> NOPASSWD option. Granted, an admin shouldn't leave a console
> unattended, but in the event that she does, then she has some form of
> protection. Having now reviewed the manual page fully, the default
> timeout is 5 minutes (before you have to enter your password again). I
> really don't care for the generous use of 'ALL', but I can live with it.
I don't have a problem with removing the NOPASSWD option.
More information about the blfs-dev