Providing Superpowers with sudo (Unix Power Tools, 3rd Edition)

49.11. Providing Superpowers with sudo

You may not want to give people access to the root password just to give them access to specific superuser powers. In cases such as this, you should consider using sudo -- an application that enables specified users to execute applications that normally require root privileges.

The sudo application isn't installed by default on all systems, but it is available for most. You can find out if it's installed on your system by typing sudo at the command line. If it isn't installed, check online for versions that run on your machine. The application's home is at http://www.courtesan.com/sudo/index.html.

The sudo configuration file is called sudoers and is installed in the /etc subdirectory. In Darwin, the default sudoers file has the following settings:

root  ALL=(ALL) ALL
%admin ALL=(ALL) ALL

In the file, root has open access to all applications. In addition, all members of the admin group (equivalent to wheel within Darwin) can also run all commands.

Without getting into too much detail (an online sudoers manual is at http://www.courtesan.com/sudo/man/sudoers.html), the sudoers file can consist of a set of aliases, used to define groups of people, commands, hosts, or run as options. It then defines rules by which specific users or group of users can run specific commands. There are four types of aliases:

User_Alias: List of specific users
Runas_Alias: List of users to emulate
Host_Alias: List of servers
Cmnd_Alias: Command list

Examples of aliases are:

User_Alias     SYSADMINS = shelleyp, mike, tomd
Runas_Alias    OP = root
Host_Alias     BB = burningbird
Cmnd_Alias     SU = /usr/bin/su

Following the aliases are override rules in reference to system defaults. For instance, warnings and "lectures" can be attached to certain commands to ensure that people are aware of the repercussions of their actions. However, people who are sysadmins shouldn't be subjected to these rules; the lectures can be turned off for them:

Defaults:SYSADMINS       !lecture

Neither aliases nor default overriding rules are required in the sudoers file. The only statements that are required are the command rules. In the Darwin file, the rules allowed root and admin access of all commands. Other rules that can be created are:

# sysadmins can run all commands, without password
SYSADMINS   ALL = NOPASSWD: ALL

# chris can run anything on the burningbird machine as OP (root)
chris       BB = (OP) ALL

# joe can run SU on burningbird as root
joe         BB = (root) SU

To edit the sudoers file, you use a specialized editing tool, visudo (see manual at http://www.courtesan.com/sudo/man/visudo.html), while logged in as root. The editor prevents collision between multiple authors and also verifies the correctness of the edits.

To work with sudo (manual at http://www.courtesan.com/sudo/man/sudo.html), type sudo and the command you want to exit:

% sudo vi test

Depending on your setup, you'll get a warning or a password prompt, or the command will fail or execute.

One interesting side effect of sudo is that if you allow root access to an application that has shell escape, such as vi, you are indirectly giving that person access to a root shell. Use sudo with caution.

-- SP