Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

sudoers file

created Jan 08, 2024updated May 19, 20243 min read

Basic Examples

  • Run sudo -l to view the rules for the currently logged in user
%group_a ALL=(ALL:ALL) NOPASSWD: ALL
  • %group_a : all users belonging to group_a
  • ALL : can run on all hosts
  • ALL : can run as any user
  • NOPASSWD: : can run commands without password
  • ALL : can run all commands with sudo
user_a ALL=(ALL:ALL) /usr/bin/bash
  • user_a : self-explanatory
  • ALL : can run on all hosts
  • ALL : can run as any user
  • /usr/bin/bash : able to do sudo /usr/bin/bash (not sudo bash!)

Syntax

Never edit sudoers file without visudo

Always use visudo to edit /etc/sudoers to prevent syntax errors (which would otherwise render sudo unusable). visudo checks for syntax errors before writing to sudoers. You can use your favorite text editor in visudo via export EDITOR=<your-editor> or EDITOR=<your-editor> visudo.

Command

User Host (Runas) Options Command
  • NOTE: use ALL to match everything. Use aliases to handle multiple entities at once.
  • User: the user / group / alias associated with this rule
    • a user called bob: bob
    • a group called devs: %devs
    • user with UID 1000: #1000
    • user with GID 1000: %#1000
  • Host: what hosts this rule applies to
  • Runas: what users / group can the command be run as
    • omitted: run only as root user
    • user only: (USER); sudo -u USER command; -g will not be allowed
    • group only: (:GROUP); sudo -g GROUP command
    • combination: (USER:GROUP); combine -u and -g
  • Options
    • SETENV: : allow user to set environmental variables for the command
    • NOPASSWD: : allow user to run command without entering password
  • Command: full path to executable (otherwise an attacker can fake one by messing with $PATH)
    • binary: /usr/bin/bash
    • binary with digest: SHA-2 digests of 224, 256, 384, and 512-bits are accepted in hex or base64 format, e.g., sha224:IkotndXGTmZtH5ZNFtRfIwkG0WuiuOs7GoZ+6g== /bin/ls; use shaXXXsum or openssl to generate digests
    • edit file: sudoedit FILENAME; sudoedit is a special keyword; it only install the file as Runas but opens the editor as the original user
    • directory: all files under the directories is allowed to use with sudo
    • wirdcards: /usr/bin/a*; WARNING: arguments will be parsed as a single string (depending on the implementation) so /bin/cat /etc/message* will allow user to pass additional arguments
    • multiple: delimitted by ”,” e.g., /usr/bin/bash, /bin/df -h /, /bin/date "", sudoedit /etc/hosts

Aliases

# Format: TYPE_Alias ALIAS_1 = a, b, c : ALIAS_2 = d, e, ...
 
User_Alias TRUSTED = %admin, !ams
Runas_Alias LEGACYUSERS = oldapp1, oldapp2
Runas_Alias APPUSERS = app1, app2, LEGACYUSERS
Host_Alias PRODUCTION = www1, www2, 192.0.2.1/24, !192.0.2.222
Cmnd_Alias DBA = /usr/pgsql-9.4/bin, /usr/local/bin/pgadmin
  • an alias can include another alias
  • exclude or negate by prefixing !, e.g., exclude a user from a group
    • NOTE: generally not effective against ALL in Cmnd_Alias

Options

# use ! to turn off
Defaults env_reset, !insults, password_tries=4, lecture=always
Defaults passprompt="[sudo] Password for %p:"
 
# NOTE: You can use aliases
 
# host-specific options
# enable 'insults' on host 'laptop'
Defaults@laptop insults
# change passprompt on host 'desktop'
Defaults@desktop passprompt="Enter password: "
 
# effective when USER runs sudo
Defaults:USER !lecture
 
# effective when sudoing into TARGET_USER
Defaults>TARGET_USER mail_always, mailto="[email protected]"
 
# use ! for commands; use an alias if you want to specify arguments
Defaults!COMMAND always_set_home
  • Parse order (first to last): generic, host & user, runas, command
  • See manpage for more options

Graph View

Sources

Backlinks