Lately been struggling with quotes and getting my variables working correctly inside the quotes.  With more precisely variables followed directly by text without spaces.  Like updating sudoers files the end result I want, to take whatever groups are in sudoers now and append _ldap to them using only bash echo.
%testgroup1Â ALL=(ALL) ALL
%testgroup1_ldap ALL=(ALL) ALL
use strong quotes around everything except the variable
echo ‘%’$GROUP’_ldap ALL=(ALL) ALL’ >> /some/file
Letting user ONLY run certain commands as root.
|
1 2 3 |
frank ALL= /bin/kill,/sbin/linuxconf, /etc/init.d/ To limit user frank to ONLY one or two hosts to run those commands, you need to replace ALL with the hostnames of your machines. |
|
1 2 3 |
frank linuxhost1= /bin/kill,/sbin/linuxconf, /etc/init.d/ To limit user frank to ONLY one linux host but also grant him access to user other files owned by another user. To enable that, frank would need to `sudo -u timmy command`. |
|
1 2 3 4 |
frank linuxhost1=(timmy, george) /bin/kill,/sbin/linuxconf, /etc/init.d/ Let's say frank is getting tired of having to type sudo -u timmy everytime, as he spends most of his time editing timmys files. This says that frank will type his password in one time, then have a 20 minute window which he won't have to re-type his password and sudo -u will default to user timmy. |
|
1 |
Defaults:frank timestamp_timeout=20, runas_default=timmy |
We have recently been having issues at work with users, sudo su directly to root thus bypassing sudo logging and completely blocking any ability to trace back what was done to the systems. Most of these issues can be traced back to my team (system administration) and I will take the blame for the most part. We were handing out full sudo root to users by just saying don’t use sudo su or any of the other methods to drop directly to a root prompt, it’s against corporate security and was based on the trust factor. The reason: there’s primarily only 2 UNIX SE’s, we had roughly 700 UNIX boxes 6 months ago, we now have close to 1500 UNIX hosts. Way to much work to worry about trying to setup and stricten the sudoers file. However, now that things have settled down a bit. Everyone and their brother are using pretty much only sudo su -. It’s a complete mess at this point. So much for the trust factor…
Now the users are spoiled and so used to just sudo su, it’s crazy some don’t even know when to use sudo properly and think sudo su is how your suppose to use sudo. Anyhow got tired of slapping little Johnnies hand and said no no no…So just added this to the sudoers file… The bottom line is that Johnny doesn’t listen…
Sure the smart thing to do is to stricten the sudoers down and only hand out what they need, or setup Puppet, but those things take time and I need to re-lock down the environment now.
Defaults mailto=systemadmin@example.com, mail_badpass, mail_no_user, mail_no_perms
Defaults logfile=/root/.sudolog, log_year, log_host
Defaults always_set_home
Defaults env_reset
Cmnd_Alias SHELLS=/bin/ash, /bin/bash, /bin/csh, /bin/sh, /usr/bin/es, /usr/bin/ksh,/usr/bin/rc, /usr/bin/tcsh, /usr/bin/zsh, /bin/sash, /bin/zsh, /usr/bin/esh, /bin/tcsh, /sbin/sh, /usr/local/bin/bash, /usr/local/bin/tcsh, /bin/login, /bin/su
johnny  ALL=ALL, !SHELLS
If anyone has any other suggestions I would love to hear them
I haven’t used either one of these, but I was always curious on if there was a sudo for Windows. I guess there is..
Some of this is not new but just adding it, not my writing found this article somewhere.
To allow a user to gain full root privileges when he/she precedes a command with “sudo”, add the following line:
USER_NAME ALL=(ALL) ALL
and/or to allow a user sudo access from the local machine only:
USER_NAME HOSTNAME=(ALL) ALL
and/or to allow members of group wheel sudo access requiring no password:
%wheel ALL=(ALL) NOPASSWD: ALL
where USER_NAME is the user name of the individual.
Password cache timeout
Users may wish to change the default timeout before the cached password expires. This is accomplished by adding following to /etc/sudoers (visudo) for example:
Defaults:USER_NAME timestamp_timeout=20
where the password expires for user USER_NAME if unused for over 20 minutes. Values between 0 and 1 are also allowed.
Tab-completion, by default, will not work when a user is initially added to the sudoers file. For example, normally john only needs to type:
|
1 |
fire<TAB> |
and the shell will complete the command for him as:
|
1 |
firefox |
If, however, john is added to the sudoers file and he types:
|
1 |
sudo fire<TAB> |
the shell will do nothing.
To enable tab-completion with sudo, add the following to your ~/.bashrc:
|
1 |
complete -cf sudo |
Alternatively, you could also install and enable bash-completion to get smarter tab-completion for commands like sudo, see bash#Auto-completion for more information.
To allow sudo to start graphical application in X11, you need to add
|
1 |
Defaults env_keep += "HOME" |
to visudo.
If you are annoyed by sudo’s defaults that require you to enter your password every time you open a new terminal, disable tty_tickets:
|
1 |
Defaults !tty_tickets |
If you have a lot of environment variables, or you export your proxy settings via export http_proxy="...", when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.
|
1 |
$ sudo -E pacman -Syu |
Because of this you may wish to add an alias in ~/.bashrc:
|
1 |
alias sudo="sudo -E" |
Another way of fixing this would be to add in /etc/sudoers:
|
1 |
Defaults !env_reset |
If you want to just pass *_proxy variables, add the following:
|
1 |
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy" |
If you want to run administrative commands (those in /sbin or /usr/sbin) with sudo without using their full path, add:
|
1 |
Defaults secure_path="/bin:/sbin:/usr/bin:/usr/sbin" |
in /etc/sudoers.
This allows you to do:
|
1 |
$ sudo command |
instead of:
|
1 |
$ sudo /sbin/command |
or:
|
1 |
$ sudo /usr/sbin/command |
If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your ~/.bashrc or /etc/bash.bashrc:
|
1 |
alias sudo='sudo ' |
Users can configure sudo to display clever insults when an incorrect password is entered instead of printing the default “wrong password” message. Find the Defaults line in /etc/sudoers and append “insults” after a comma to existing options. The final result might look like this:
|
1 2 |
#Defaults specification Defaults insults |
To test, type sudo -K to end the current session a let sudo ask for the password again.
Users can configure sudo to ask for the root password instead of the user password by adding “rootpw” to the Defaults line in /etc/sudoers:
|
1 |
Defaults timestamp_timeout=0,rootpw |
With sudo installed and configured, users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password.
The account can be locked via passwd:
|
1 |
# passwd -l root |
A similar command unlocks root.
|
1 |
$ sudo passwd -u root |
Alternatively, edit /etc/shadow and replace the root’s encrypted password with “!”:
|
1 |
root:!:12345:::::: |
To enable root login again:
|
1 |
$ sudo passwd root |
kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file /usr/share/config/kdesurc:
|
1 2 |
[super-user-command] super-user-command=sudo |
When disabling the root account, it is nessecary to change the policykit configuration for local authorification to reflect that. The default is to ask for root password, so that must be changed. With polkit-1, this can be achieved by editing /etc/polkit-1/localauthority.conf.d/50-localauthority.conf so that
|
1 |
AdminIdentities=unix-user:0 |
is replaced by something else, depending on the system configuration. It can be a list of users and groups, for example
|
1 |
AdminIdentities=unix-group:wheel |
or
|
1 |
AdminIdentities=unix-user:me;unixuser:mom;unix-group:wheel |
SSH does not allocate a tty by default when running a remote command. Without a tty, sudo cannot disable echo when prompting for a password. You can use ssh’s “-tt” option to force it to allocate a tty. (use -tt twice).
The Defaults option requiretty only allows the user to run sudo if they have a tty
|
1 2 3 |
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. You have to run "ssh -t hostname sudo <cmd>". # #Defaults requiretty |
You can find out what privileges a particular user has with the following command:
|
1 |
sudo -lU askapache |
Or view your own with
|
1 |
sudo -l |
|
1 2 3 4 5 6 7 8 9 10 11 |
Matching Defaults entries for askapache on this host: loglinelen=0, logfile=/var/log/sudo.log, log_year, syslog=auth, mailto=sqpt.webmaster@gmail.com, mail_badpass, mail_no_user, mail_no_perms, env_reset, always_set_home, tty_tickets, lecture=always, pwfeedback, rootpw, set_home User askapache may run the following commands on this host: (ALL) ALL, (ALL) NOPASSWD: /usr/sbin/lsof, /bin/nice, /bin/netstat, /usr/bin/su, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync, /usr/bin/strace, (ALL) /bin/nice, /bin/kill, /usr/bin/nice, /usr/bin/ionice, /usr/bin/top, /usr/bin/kill, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill, (ALL) /usr/sbin/gparted, /usr/bin/pacman (ALL) /usr/local/bin/synergyc, /usr/local/bin/synergys, (ALL) /usr/bin/vim, /usr/bin/nano, /usr/bin/cat (root) NOPASSWD: /usr/local/bin/synergyc |
This is especially helpful for those using terminal multiplexers like screen, tmux, or ratpoison, and those using sudo from scripts/cronjobs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Cmnd_Alias WHEELER = /usr/sbin/lsof, /bin/nice, /bin/ps, /usr/bin/top, /usr/local/bin/nano, /bin/netstat, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/nice, /usr/bin/ionice, /usr/bin/top, /usr/bin/kill, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill Cmnd_Alias EDITS = /usr/bin/vim, /usr/bin/nano, /usr/bin/cat, /usr/bin/vi Cmnd_Alias ARCHLINUX = /usr/sbin/gparted, /usr/bin/pacman, /usr/bin/pacman-color root ALL = (ALL) ALL askapache ALL = (ALL) ALL, NOPASSWD: WHEELER, NOPASSWD: PROCESSES, NOPASSWD: ARCHLINUX, NOPASSWD: EDITS Defaults !requiretty, !tty_tickets, !umask Defaults visiblepw, path_info, insults, lecture=always Defaults loglinelen = 0, logfile =/var/log/sudo.log, log_year, log_host, syslog=auth Defaults mailto=webmaster@askapache.com, mail_badpass, mail_no_user, mail_no_perms Defaults passwd_tries = 8, passwd_timeout = 1 Defaults env_reset, always_set_home, set_home, set_logname Defaults !env_editor, editor="/usr/bin/vim:/usr/bin/vi:/usr/bin/nano" Defaults timestamp_timeout=360 Defaults passprompt="Sudo invoked by [%u] on [%H] - Cmd run as %U - Password for user %p:" |
|
1 |
