Introduction to writing the /etc/sudoers file for sudo permission settings

 

Introduction

Hello. I am an infrastructure manager in the system solution department.
This is a sudden question, but do you all use the sudo

It is used to execute commands with root user or other user privileges, so it is probably a command that you will use quite often when working on a terminal.

However, if any OS user were to be able to use this command, they would be able to edit important configuration files such as process configurations, or manipulate daemons, creating a security risk.

Therefore, the permissions of "who can do what, where, and what" are usually adjusted in the configuration file.

This time, I would like to focus on the description format of the sudo permission settings file, ``/etc/sudoers''.
You may have the opportunity to modify this file when setting up the server.

Are you all just copying and pasting somehow?

By understanding the description method, you can prevent unexpected accidents, and you can also use it in more practical ways, so please take this opportunity to check it out.

Description of “/etc/sudoers”

There are several default entries in the "/etc/sudoers" file, but let's pick one out.

root ALL=(ALL) ALL

Below, I will add an explanation based on this description.

"root" on the far left

This is where you specify who has the authority.

In this case, we are specifying the privileges to be given to the "root" user.

If you want to determine the privileges of a general user, enter the user's name here.

"ALL" to the left of "="

When using the same settings on multiple servers, this is the setting for which server will reflect the specifications in that line.

If you manage sudo settings on each server individually, the settings file will always be applied to that server itself.
So in that case, there is no problem with this description as "ALL".

An exception is when information from multiple servers is managed collectively using a directory service, etc.

To the right of "=", the contents of the parentheses

The premise is that the sudo command is originally a command that ``acts on behalf of another user or group and operates with that privilege'', and ``operates with root privileges'' is the default when no user or group is specified. It's just an action.

This item describes which users can execute commands on behalf of others.

Note that the contents of the parentheses are omitted in the above example, but originally, as in (ALL:ALL), the user who can be replaced with "sudo -u" is on the left of the colon, and the user who can be replaced with "sudo -g" is on the right. Specify the group.

For example, in a situation where you want to give a user permission to execute a command that can only be executed with root privileges,

It doesn't matter whether you can become a general user or not (you can become more than that), so the target is often given the privilege to become anyone, including root, like (ALL).

Of course, there is no problem if you explicitly specify (root).

*By the way, if you omit the ``:ALL'' part, that is, the second half of the parentheses, it means ``There is no group that can be used = sudo -g cannot be used.''

About ALL on the far right

Specify what operations are allowed.

Writing ALL means that you can do anything.

For example, if you want to allow the hoge user to only restart Apache, write as follows.

*Note that the command must be written with the full path. The path may be different, so check it using the which command. )

hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd

 

The above description only allows you to restart, so if you want to be able to use other commands as well, connect them with commas and write them as shown below.

hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd, /usr/bin/systemctl status httpd

 

On the other hand, you can disable only specific commands by writing a description using "!" as shown below.

hoge ALL=(ALL:ALL) ALL, !/usr/bin/systemctl restart httpd, !/usr/bin/systemctl status httpd

bonus

If you add "%" to the beginning of the part where you can specify a user, it will specify a group.

The "/etc/sudoers" file also has the following description by default, and it is because this description is reflected that when a user is added to the wheel group, they gain the same power as root privileges.

%wheel ALL=(ALL) ALL

summary

What do you think?

If you configure sudoers appropriately, when you create a user, you can say things like ``I only want this user to execute this command,'' or ``I don't want to give root privileges, but I want to be able to execute specific commands.'' Fine adjustments are possible.

This is a critical file from a security perspective, so be sure to understand its structure before setting it up!