pavement

Sudo, configuring

From FreeBSDwiki
Jump to: navigation, search

First, install sudo. su to root and go to /usr/ports and then find out where the port is:

[dave]@deus ~ % sudo
-bash: sudo: command not found
[dave]@deus ~ % su -
Password:
[root]@deus ~ # cd /usr/ports && make search name=sudo
Port:   sudo-1.6.7.5
Path:   /usr/ports/security/sudo
Info:   Allow others to run commands as root
Maint:  mharo@FreeBSD.org
B-deps:
R-deps:

[root]@deus /usr/ports # cd security/sudo
[root]@deus /usr/ports/security/sudo # make install clean

Once it's installed, you'll need to run visudo since there's no other way to edit /etc/sudoers (well, you can use another editor, but it just won't work.)

Note that visudo doesn't actually call the vi editor, just your default editor; if that happens to be vi then it will come up. Otherwise, your regular editor will come up.

/etc/sudoers has one entry in it:

root ALL=ALL(ALL) ALL

which doesn't really explain what those ALLs mean in context; so often a lot of folks will set the sudoers to give ALL=ALL(ALL) ALL to every user they add. That's nice, but you're giving all of root's power away. You might as well give users the root password and save them the hassle of using sudo at all.

The explanation:

sudo-user machine=(effective user rights) command

So, if I want to give Jimbo root access on my server, Pete root on my laptop and Light only to have access to shutdown on all my machines, my sudoers would look like:

root ALL=ALL(ALL) ALL
jimbo ALL=samizdata.mydomain.tld(ALL) ALL
peet  ALL=deus(ALL) ALL
light ALL=ALL(ALL) /sbin/shutdown

Finally, if you just want to give yourself root access on your server via sudo with no password, your sudoers might look like:

root ALL=ALL(ALL) ALL
yourself ALL=(ALL) NOPASSWD: ALL

NOTE: remember that setting sudo rights for multiple machines in a single sudoers file is only meaningful if that file is actually shared or distributed across those multiple machines. Simply writing permissions for the machine samizdata on the machine deus isn't going to do anything useful by itself. You would need to copy the file contents over to all the machines that are listed (and then kill -HUP the sudo process, if it's running,) in order to make the changes meaningful.

Using Aliases to make life easier

You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format:

User_Alias allows you to define a group of users
Runas_Alias allows you to define the daemon or user the command can run as
Host_Alias allows you to define a group of hosts
Cmnd_Alias allows you to define which commands (full path must be given) are in a group

You can use already existing system groups, but you have to add the prefix % (e.g., %wheel)

As an example, if my /etc/sudoers showed:

User_Alias ADMINS=jimbo
User_Alias DNSADMINS=peet
User_Alias DHCPADMINS=light

Runas_Alias DAEMONS=bind,dhcpd,sshd

Host_Alias NAMESERVERS=ns1.samizdata.mydomain.tld,ns2.samizdata.mydomain.tld
Host_Alias DHCPSERVERS=dhcp.mydomain.tld,dhcp2.mydomain.tld

Cmnd_Alias DNS=/usr/local/sbin/rndc,/usr/local/sbin/bind
Cmnd_Alias DHCP=/usr/local/sbin/dhcpd

at the top, then I could add these lines to the bottom:

ADMINS ALL=(ALL) DNS,DHCP
DNSADMINS NAMESERVERS=(DAEMONS) DNS
DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP

Note that there are no spaces between the users and commas, likewise, servers and commands only have a comma seperating them -- no spaces. This would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that DNS and DHCP specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.

This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.

Personal tools