Introduction to writing the /etc/sudoers file for sudo permission settings

 

Introduction

Hello. This is Infrastructure Wasshoi Man from the System Solutions Department.
This may be a bit sudden, but do you all use the sudo

This is a command that you will probably use quite frequently when working on a terminal, as it is used to execute commands as the root user or with other user privileges

However, if any OS user could use this command, it would be dangerous from a security standpoint, as it would allow them to edit important configuration files such as process configurations and operate daemons

Therefore, permissions are usually adjusted in a configuration file to determine who can do what, where, and to what

This time, I would like to focus on the description format of the sudo permission configuration file "/etc/sudoers".
This file may also be edited when setting up a server

Do you just copy and paste whatever comes to mind?

Understanding how to write it will help you prevent unexpected accidents and will also allow you to use it in more practical ways, so please take this opportunity to check it out

Explanation of "/etc/sudoers"

There are several default entries in the "/etc/sudoers" file, but let's pick out one

root ALL=(ALL) ALL

Below, we will add an explanation based on this description

The leftmost "root"

This is where you specify who is given the permissions

In this case, we are specifying the permissions to be given to the "root" user

If you want to define permissions for a general user, enter the user's name here

"ALL" to the left of "="

This setting determines which server the line's settings will be reflected on when the same settings are used on multiple servers

If you manage sudo settings individually on each server, the setting file will always be reflected on that server itself.
In that case, it is fine to write "ALL" here.

The exception to this rule is when you use a directory service or similar to collectively manage information from multiple servers

The right side of the "=", inside the parentheses

As a premise, the sudo command is originally a command that "impersonates another user or group and performs operations with their privileges," and "operating with root privileges" is simply the default behavior when neither a user nor a group is specified

This field describes which users commands can be executed on behalf of

Although the contents of the parentheses are omitted in the example above, they should normally be specified as (ALL:ALL), with the user to be impersonated by "sudo -u" specified to the left of the colon and the group to be impersonated by "sudo -g" specified to the right

For example, if you want to give a user permission to run a command that can only be run with root privileges, you can do the following:

It doesn't matter whether the user can become a general user or not (they can become more than that), so the target is often given the authority to become anyone, including root, such as (ALL)

Of course, there is no problem if you explicitly specify (root)

*By the way, if you omit the ":ALL" part (i.e. the second half of the parentheses), it means "there is no group to become = sudo -g cannot be used."

About ALL on the far right

Specify what operations are permitted

Writing ALL means you can do anything

For example, if you want to allow the hoge user to only restart Apache, write it as follows:

*Please note that you need to write the full path of the command. The path may be different, so check the path with the which command.)

hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd

 

The above code only allows you to restart, so if you want to be able to use other commands as well, write them connected with commas as shown below

hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd, /usr/bin/systemctl status httpd

 

On the other hand, you can disable only specific commands by using "!" as shown below

hoge ALL=(ALL:ALL) ALL, !/usr/bin/systemctl restart httpd, !/usr/bin/systemctl status httpd

bonus

When specifying a user, prefixing it with "%" will specify a group

The "/etc/sudoers" file also contains the following default entry, and it is this entry that gives a user the same power as root when they are placed in the wheel group

%wheel ALL=(ALL) ALL

summary

What do you think?

If you configure sudoers properly, when you issue a user, you can make fine adjustments such as "I only want this user to be able to run this command" or "I don't want to give root privileges, but I want the user to be able to run specific commands."

This is a critical file from a security standpoint, so be sure to understand its structure and set it up!