Basic Examples
- Run
sudo -l
to view the rules for the currently logged in user
%group_a
: all users belonging togroup_a
ALL
: can run on all hostsALL
: can run as any userNOPASSWD:
: can run commands without passwordALL
: can run all commands with sudo
user_a
: self-explanatoryALL
: can run on all hostsALL
: can run as any user/usr/bin/bash
: able to dosudo /usr/bin/bash
(notsudo bash
!)
Syntax
Never edit sudoers file without visudo
Always use
visudo
to edit/etc/sudoers
to prevent syntax errors (which would otherwise rendersudo
unusable).visudo
checks for syntax errors before writing to sudoers. You can use your favorite text editor in visudo viaexport EDITOR=<your-editor>
orEDITOR=<your-editor> visudo
.
Command
- NOTE: use
ALL
to match everything. Use aliases to handle multiple entities at once. - User: the user / group / alias associated with this rule
- a user called
bob
:bob
- a group called
devs
:%devs
- user with UID 1000:
#1000
- user with GID 1000:
%#1000
- a user called
- Host: what hosts this rule applies to
- Hostname, see
hostname
- IP address
- Network, like
10.10.10.0/24
- Wildcards, see the
fqdn
option - Doesn’t work: loopback like
localhost
or127.0.0.1
, see unix - localhost in sudoers - Super User
- Hostname, see
- Runas: what users / group can the command be run as
- omitted: run only as
root
user - user only:
(USER)
;sudo -u USER command
;-g
will not be allowed - group only:
(:GROUP)
;sudo -g GROUP command
- combination:
(USER:GROUP)
; combine-u
and-g
- omitted: run only as
- Options
SETENV:
: allow user to set environmental variables for the commandNOPASSWD:
: allow user to run command without entering password
- Command: full path to executable (otherwise an attacker can fake one by messing with
$PATH
)- binary:
/usr/bin/bash
- binary with digest: SHA-2 digests of 224, 256, 384, and 512-bits are accepted in hex or base64 format, e.g.,
sha224:IkotndXGTmZtH5ZNFtRfIwkG0WuiuOs7GoZ+6g== /bin/ls
; useshaXXXsum
oropenssl
to generate digests - edit file:
sudoedit FILENAME
;sudoedit
is a special keyword; it only install the file asRunas
but opens the editor as the original user - directory: all files under the directories is allowed to use with
sudo
- wirdcards:
/usr/bin/a*
; WARNING: arguments will be parsed as a single string (depending on the implementation) so/bin/cat /etc/message*
will allow user to pass additional arguments - multiple: delimitted by ”,” e.g.,
/usr/bin/bash, /bin/df -h /, /bin/date "", sudoedit /etc/hosts
- binary:
Aliases
- an alias can include another alias
- exclude or negate by prefixing
!
, e.g., exclude a user from a group- NOTE: generally not effective against
ALL
inCmnd_Alias
- NOTE: generally not effective against
Options
- Parse order (first to last): generic, host & user, runas, command
- See manpage for more options