Table of Contents

Sudoers file

2023-11-13
3 min read
Docs
Linux

Using Sudoers file

Unrestricted privileges

betty ALL=(ALL) ALL

The /etc/sudoers file is used in Unix-like operating systems to control which users and groups have permission to execute commands as other users, including the superuser (root).

Each entry in this file grants specific privileges. Let’s break down the entry betty ALL=(ALL) ALL:

  1. Username - betty: This is the username to whom the rule applies. In this case, the user betty is the one receiving the sudo privileges defined by this entry.

  2. Host Alias - ALL: The first ALL specifies the host alias, which determines on which machines this rule is valid. In this context, ALL means this rule applies to any machine. This is useful in network environments where the same sudoers file might be distributed or used across multiple machines.

  3. User Alias - (ALL): The (ALL) in parentheses is the user alias. It specifies the users that betty is allowed to run commands as. Here, ALL means betty can execute commands as any user, including root. This is a powerful privilege.

  4. Command Alias - ALL: The last ALL is the command alias. It specifies which commands betty is allowed to execute. In this case, ALL means betty is allowed to execute any command.

So, the entry betty ALL=(ALL) ALL means that the user betty can execute any command as any user (including root) on any machine where this sudoers file is active.

This is a broad level of access and should be granted carefully, as it gives betty essentially unrestricted control over the system.

Restricted with Specific privileges

amy ALL=/usr/sbin/useradd, /usr/bin/passwd, ! /usr/bin/passwd root

This entry in the /etc/sudoers file defines specific permissions for a user named amy. It’s more restrictive and precise compared to the previous example. Let’s break it down:

  1. Username - amy: This is the username to whom the rule applies. In this case, amy is the user being granted certain sudo privileges.

  2. Host Alias - ALL: As in the previous example, the first ALL indicates the host alias. This means that the rule is valid on any machine where this sudoers file is active. It’s a common setting in environments where the same sudoers configuration is used across multiple machines.

  3. Command Alias - /usr/sbin/useradd, /usr/bin/passwd, ! /usr/bin/passwd root: This part is more complex than the previous example. It specifies a list of commands that amy is allowed to execute with sudo privileges, with a specific restriction:

    • /usr/sbin/useradd: amy is allowed to execute the useradd command, which is used to create new user accounts.

    • /usr/bin/passwd: amy can also execute the passwd command, which is used to change user passwords.

    • ! /usr/bin/passwd root: The exclamation mark (!) indicates a negation. This means amy is explicitly forbidden from changing the root user’s password using the passwd command.

  4. Lack of User Alias - (ALL): Unlike the previous example, this entry does not include (ALL) or any other user alias in parentheses. This implies that amy can only execute these commands as her own user account. She cannot use sudo to run these commands as any other user (including root).

So, the entry amy ALL=/usr/sbin/useradd, /usr/bin/passwd, ! /usr/bin/passwd root means that on any machine, the user amy can use sudo to run the useradd and passwd commands to manage users and their passwords, but she is explicitly forbidden from changing the root password.

This entry provides specific and controlled administrative privileges to amy, enhancing security by limiting the scope of her sudo access.

#Linux #Sudo #Sudoers

Antony Sallas

Next Operating System Design Philosophies