• United States
Unix Dweeb

How to build command groups with sudo

Nov 21, 20176 mins

Creating command groups in /etc/sudoers can make managing user privileges easier and smarter.

When managing your /etc/sudoers files, it’s a good idea to organize user privileges in ways that make them easier to manage over the long haul and to assign permissions based on the roles that users play in your organization.

One very useful way to do that is to group related commands together — such as all commands related to running backups or managing web sites — and assign them to the individuals or groups that require these privileges.

Setting up command groups in /etc/sudoers

To create a command group, you use what is called a Cmnd_Alias in your /etc/sudoers file and give the new command group a meaningful name. Here are some examples. Note that full pathnames should be specified for all of the commands included in a group. Otherwise, you are likely to see an error like this when you try to exit visudo. And remember to only edit /etc/sudoers with the visudo command to allow it to warn you in ways like this and prevent errors.

>>> /etc/sudoers: syntax error near line 60 

Command aliases like these might prove useful. Here, we’re grouping kill, password and shell commands together in three separate groups.

Cmnd_Alias      KILL = /usr/bin/kill, /usr/bin/pkill, /usr/bin/killall
Cmnd_Alias      VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, 
Cmnd_Alias      SHELLS = /bin/sh, /usr/bin/sh, /bin/bash, /bin/dash, 
			           /usr/bin/rsh, /bin/rbash, /bin/static-sh

Anyone given access to any of these three command groups would then be able to run the associated commands using sudo (e.g., sudo kill 1234). The format for defining command aliases is fairly simple. Use to continue a definition to the next line.

Another very useful command group is one that you can use to keep users from running commands that might allow them to break free from restrictions you might want to impose. If someone can run visudo or vi as root, for example, they can change the /etc/sudoers file to change their and other users’ privileges.

Cmnd_Alias      RESTRICTED=/usr/sbin/vipw, /bin/vi /etc/sudoers, 
                        /bin/su - root, /bin/su -, /usr/sbin/visudo

You can apply these restrictions by configuring users or groups to not have access in lines like these that ensure that users cannot run these commands using sudo:

jdoe            ALL = (ALL)ALL, !RESTRICTED

It's easy to trip over all the ALLs that you are likely to encounter in sudoers files. A quick what's what may be in order here. When you see something like ALL ALL=(ALL) ALL in a line in the /etc/sudoers file, here's what the ALLs mean:

The first ALL represents the users allowed to run the command (this can be an individual or group)
The second ALL represents the hosts
The third ALL is the target (who you are when running the command)
The last ALL is the group of commands allowed

Any of the ALLs can be replaced with specifics as in the commands above that specify jdoe and TECHSUPP in the first position.

The structure for defining command groups is fairly simple:

Cmnd_Alias      KILL = /usr/bin/kill, /usr/bin/pkill
    ^            ^      ^
    |            |      |
 keyword        name    included commands

Command groups allow you to provide related sets of sudo privileges to specific groups or individuals — such as tech support folks who need to change users’ passwords and sysadmins who need to be able to kill processes or reboot systems — without having to give them the ability to run all commands as root.

Assigning command groups

Once command groups have been established, you can assign them to individuals. Descriptive comments in your /etc/sudoers file will help ensure that anyone else who might edit the sudoers file can easily understand what was intended.

# bob can change passwords and manage account password settings on all systems
bob		ALL = VIPW

You can also use command groups to deny users the ability to run a group of commands using sudo.

# jen can run commands on all servers except those in the security group
jen         ALL, !SECURITY = ALL

You can also restrict the use of a command group to a specific system.

# jdoe needs to be able to kill processes on the code management system
jdoe        pluto = KILL

The second of the three command group assignments above requires that the SECURITY group of servers is also defined in the /etc/sudoers file. It might look like this:

Host_Alias	   SECURITY = mercury, venus, mars

You can also define users in groups and assign privileges by user group.

User_Alias     WEBMASTERS = slee, willy, liam

Disallowing access

As you can see from some of the examples above, an exclamation point in front of an item negates the access. For example, !SECURITY means any systems except those in the security group. In a similar manner, ! in front of a command means the command cannot be used with sudo.

# maryk may change passwords for anyone but root
maryk        /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

Defining other aliases

You can group commands, systems or users together with commands like those shown below.

command groups:
	Cmnd_Alias      HALT = /usr/sbin/halt

system groups:
	Host_Alias	SECURITY = mercury, venus, mars

user groups:
	%group = group defined in /etc/group such as %sudo or %admin
	User_Alias = group defined within the /etc/sudoers file
		User_Alias	SYSADMINS = shs, jdoe, paul

privilege groups:
	%wheel          ALL = (ALL) ALL

The /etc/sudoers file on a newly installed systems generally has very little content.

You can have groups with only one member. While this might seem of extra work for little or no benefit, it makes for better organization overall because the consistent format will make the file easier to maintain as users are added and removed.

Wrap up

A well-organized /etc/sudoers file can make doling out system privileges easier and smarter. And here's a helpful tip on using the sudo command with ssh.

The best strategy for using ssh is to play around with your sudoers settings on a development system until you feel comfortable with its syntax and can keep the /etc/sudoers file organized in such a way that it's easy to read and update.

Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author