Table of Contents

sudo

The sudo command allows a user to run a command as root (or some other user). It has several benefits over su – especially in logging. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment.

Installation

Install sudo:

apt-get install sudo

Configuration

Add a group named wheel, with a GID of 99 (NOTE: CentOS already has a wheel group by default):

groupadd -g 99 wheel

Add any admin users to the wheel group. You can use the vigr command, or adduser username groupname.

for USER in root lvl booch mk jmuse donls gary blac gfstut; do
  usermod -a -G wheel $USER
done

Edit /etc/sudoers (have to do it by running visudo) to look like this:

# Require root password (instead of the user's own password).
Defaults    rootpw

# Reset all environment variables, except the ones we explicitly list.
Defaults    env_reset
Defaults    env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \
                        LS_COLORS COLORS INPUTRC TZ \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS"

# Set $HOME to the target user's home directory. Allows mysql clients to find $HOME/.my.cnf config file automatically.
Defaults    always_set_home

# Define aliases to simplify later declarations. Note that these pertain to Debian and Red Hat variants.
#Cmnd_Alias SOFTWARE_INSTALL = /usr/bin/apt-get install *, \
#                              /usr/bin/yum install *, /bin/rpm -i *, \
#                              /usr/local/bin/gem install *
Cmnd_Alias SOFTWARE_UPDATE  = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
                              /usr/bin/yum update

# Root can run anything as anyone.
root    ALL=(ALL) ALL

# These users may run anything, if they supply the root password.
%wheel  ALL = ALL

# These users may run these commands without having to supply a password.
%wheel  ALL = NOPASSWD: SOFTWARE_UPDATE

Security

Allowing sudo with no password should be limited as much as possible.

Note that users in the sudo group can use sudo without a password – DON'T DO THIS!

Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like vi, unless you give them access to ALL commands.

TODO

Consider adding some more limited commands for some users. For example, the editor should be able to check the mail queues. The list manager should be able to run the list management scripts.

Document how logging works.