Posts

Introduction of [/etc/sudoers]



Hello everyone, I am Jon from Beyond GTA Inc. and today we will discuss one of the important features of the Linux operating system.


Information on [sudo] was originally written by Takeda who works at our headquarters in Japan. Engineers who are in the IT field and most probably work with servers should know about this sudo command since it is a very common command while working on a terminal.

Are you using sudo whenever you are executing a command?

Please calmly accept that you do not have root access to the server since giving root(admin) privileges to every user could turn into a nightmare. Who knows what might happen to your important setting configurations like accidental deletion or changes in the file content? Long story short, one should not give admin access to all users of OS.


Explanation of "/ etc / sudoers"

There is some descriptions in the "/ etc / sudoers" file by default, but let's pick one.


root ALL=(ALL) ALL


"root" on the left

This is the place to specify to whom the authority is given. In this case, the authority is given to the "root" user. If you want to determine the permissions of a general user, use this as the user's name.


"ALL" after root

This is the setting for which the server reflects the row specification when the same setting is reused on multiple servers. If each server manages sudo settings individually, the settings file will always be reflected in that server itself. So in that case, this description is "ALL" and there is no problem. The exception is when the information of multiple servers is managed collectively using a directory service.


(ALL) in the middle

The assumption is that the sudo command is originally a command that "performs operations on behalf of another user or group with that authority," and that "operates with root authority" is just the default behaviour when neither user nor group is specified. This item describes which user can execute the command on behalf of which user.


The contents of the round brackets are omitted in the above example, but originally, the user to be replaced by "sudo -u" should be specified to the left of the colon and the group to be replaced by "sudo -g" should be specified to the right, as in (ALL: ALL).


For example, if you want to give a user the authority to execute a command that can only be executed as root, you would specify In many cases, the target user is given the authority to be anyone, including root, like (ALL) because it does not matter whether the user can be a general user or not (or more than that). Of course, there is no problem if you explicitly specify (root).


The second half of ": ALL" in round brackets can be omitted to mean "no group that can become root = sudo -g cannot be used".


"ALL" on the right

Specify "what operations are allowed".

Writing ALL means that you can do anything.

For example, if you want the hoge user to only be able to restart Apache, write:


hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd


* Note that the command must be written with the full path. Check the path with which command as the path may be different. )

With the above description, you can only restart, so if you want to be able to use other commands, connect them with commas as shown below.


hoge ALL=(ALL:ALL) /usr/bin/systemctl restart httpd, /usr/bin/systemctl status httpd


On the contrary, you can disable only a specific command by writing using "!"

As shown below.


hoge ALL=(ALL:ALL) ALL, !/usr/bin/systemctl restart httpd, !/usr/bin/systemctl status httpd


Bonus

In the section where users can be specified, the "%" prefix specifies a group.

The "/etc/sudoers" file also contains the following description by default, but this description is reflected in the fact that putting a user in the wheel group gives the user power equivalent to root privileges.


%wheel ALL=(ALL) ALL


Summary

If sudoers is properly configured, it is possible to fine-tune the user's execution when a user is issued, such as "I only want this user to be able to execute this command" or "I don't want to give root privileges, but be able to execute certain commands".


This is a security-critical file, so let's understand its structure!