Sudo example configuration

Bruce Dubbs bruce.dubbs at gmail.com
Tue Sep 29 22:45:47 PDT 2009


DJ Lucas wrote:
> On 09/29/2009 10:46 PM, Bruce Dubbs wrote:
>> DJ Lucas wrote:
>>    
>>> Anybody have any objection to providing a sudoers group and adding more
>>> secure/common example to the sudoers file?  Something to the effect of...
>>>
>>> groupadd -g<##>  sudoers&&
>>> echo -e "%sudoers\tALL=(ALL)\tALL">>  /etc/sudoers&&
>>> usermod -a -G sudoers<your user name>
>>>
>>> ...instead of the current admin user with no password example?
>>>      
>> I really don't have an objection, but what we have now is just as easy.  The
>> superuser just needs to run visudo and add a name to the ADMIN user alias.
>> Is that really any harder than adding a user to a group.
>>    
> Dang it, I knew I was gonna have to read the man page!  :-) No...I was 
> going more for what is a common use case today...but I suppose that kind 
> of icks what learning can be done by reading the manual page.  For our 
> purposes, we could get the intended result from:
> 
> <username> <$hostname>=(ALL) NOPASSWD:ALL
>> I don't like tabs in configuration files (or source code).
>>
>> The (ALL) really doesn't apply to many users any more.
> 
> I'm not sure if you confused the positions, or if these were two 
> separate thoughts.  

Two separate thoughts.  You had \t in the echo.

> I'll separate, but answer as if confused/transposed 
> for anybody who reads, as that's how I understood your comments here at 
> first.  The '(ALL)' allows the user to choose all users to run the 
> command as...it could also be any previously defined user alias or a 
> valid user name as well.

I did not remember correctly.  What we have is:

user hostlist = (userlist) commandlist

* user is the name of the user or group to which this rule applies
* hostlist is a list of hosts this rule applies to
* userlist is a list of users that this rule can be run as. and must be
   enclosed in ( )
* commandlist is a list of commands that this rule states can be executed

The userlist token is optional – if excluded, it defaults to root

I had swapped userlist and hostlist in my memory. ALL and (ALL) are a bit 
ambiguous.  :)

> But, yes I agree, very few people lock down commands to specific users 
> anymore, and just run everything that needs elevated privileges as the 
> superuser and change perms if needed when done.  I'm guilty as well...an 
> it is because of relaxed sudoers files. ;-)
> 
>> I'm not even sure how
>> I'd use sudo to run something on another host.
>>    
> You can't directly (at least not that I know of), it is intended for 
> shared sudoers files (or included sudoers files) across the network.

OK.  I sorta see.  The sudoer file is in /etc which is never shared AFAIK, but 
if the sudoer file includes a shared file, then it could be appropriate.

> See the example above 'ALL' before the equal sign just lets it match 
> unconditionally, any host. 'ALL' always matches unconditionally and is 
> actually not really security conscious IMO, but su is not easily 
> scritped, so I can justify it for my own use. ;-)
> 
> 
>> The sudoers file can be very complex or very easy (like the current example).
>> I'd prefer to leave it as it is.
>>
>>    
> The second point of my original post is that I severely dislike the 
> NOPASSWD option.  Granted, an admin shouldn't leave a console 
> unattended, but in the event that she does, then she has some form of 
> protection.  Having now reviewed the manual page fully, the default 
> timeout is 5 minutes (before you have to enter your password again).  I 
> really don't care for the generous use of 'ALL', but I can live with it.

I don't have a problem with removing the NOPASSWD option.

   -- Bruce



More information about the blfs-dev mailing list