Nov 29, 2007

Limiting the power of Sudoers

Basically in linux, a default user "root" have full access to any kind of file (every thing is file in linux, yes! even device!!!). Sometimes it is necessary for other users in the same system to access some file which are inaccessible for him by default. Command "sudo" helps to solve this problem. It is used as follows:

$sudo <command-inacessable_by_default arguments_if_any>

This Sudo command limits the user's power on the basis of the configuration made on the file "/etc/sudoers".
Generally in default case you might see something like this:
root ALL=(ALL) ALL
Above, you can see ALL 3 times. But what does it mean?
The first ALL: Run from any(all) host
The Second ALL: From any Terminal
The third ALL: Can Run any command

So, the line means the "root" run any command from any terminal from any host.
Now, how to change this? Dont ever attempt to change the power of root :) any thing may happen to your system. I cannot predict what will happen, but it is not obviously going to be good.

Yes, but you can add another user to sudoers list and limit his authority(power).Lets kick off:

Let me add another user "foo" which can have full acess to "ifconfig" command from current host.


what do you think? will it work. Obviously not.

What does HOST and COMMAND mean?
HOST is just an alias to host(s), which i defined here.
Similarly COMMAND is a alias to command(s)

We should also define these aliases in the same file (etc/sudoers)

Host_Alias HOST =
Cmnd_Alias COMMAND =/sbin/ifconfig

If you want to give "foo" to access other commands too. you can simply append the line line with a seperator comma(,). ie:
Cmnd_Alias COMMAND =/sbin/ifconfig, <path to other command(1)>,<path to other command(2)>...

In similar fashion you can also add add other hosts too.
Further there are other 2 more types of aliases you can define:

I hope you got it...

you can find a detailed info by running the following line in console:
man sudoers

A visual defination of sudo: :)


No comments: