sudoer in centos system

1. Introduction to sudoer

Users in centos systems can be divided into two categories:

  • Super User -- root
  • Ordinary User--Other

The su (switch user) command is a command that performs an operation by switching user identities.

The differences between su and sudo are as follows:

  • The main purpose of the su command is to allow you to switch to another user in a session you've logged in to (without logging out of the current user).
  • The sudo command allows a specific user to execute a specific command as root or as another user.

2. Introduction to sudo configuration

The sudo command allows the current user to execute a specific command as a specific user

The configuration file is: /etc/sudoers, modify the file using the visudo command, which uses the VI editor to edit the sudoer file and automatically checks for syntax errors.

The configuration format is as follows:

user1 ALL=(ALL) ALL #Let's talk about what this line of configuration means 

#User1 indicates that the user user1 can use the sudo command.

First ALL Refers to a host in the network (either a hostname or a ip Address), which indicates user1 Users can execute subsequent commands on this host;

In the second bracket ALL It refers to the target user, who executes the command as.

The last one ALL Is the command path. 

user1 localhost=(root) /bin/kill 

#Indicates that user1 users can execute kill commands locally as root 

#Note: The command must be a complete path



3./etc/sudoer profile details

[root@ansible ~]# cat /etc/sudoers 
## Sudoers allows particular users to run various commands as 
## the root user, without needing the root password. 
##This file allows a specific user to use a variety of commands like the root user without requiring the root user's password 
## 
## Examples are provided at the bottom of the file for collections 
## of related commands, which can then be delegated out to particular 
## users or groups. 
## At the bottom of the file are many examples of related commands to choose from, which can be used by a specific user or 
## 
## User Group Used ## This file must be edited with the 'visudo' command. 
## This file must be edited using the'visudo'command 
## Host Aliases #host alias 
## Groups of machines. You may prefer to use hostnames (perhap using 
## wildcards for entire domains) or IP addresses instead. 
## For a set of servers, you may prefer to use the host name (which may be a wildcard for the full domain name) 
## Or IP address instead, you can configure the host alias 
# Host_Alias FILESERVERS = fs1, fs2 
# Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases #User Alias
## These aren't often necessary, as you can use regular groups 
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS 
## This is not very common because you can use groups instead of aliases for a group of users 
# User_Alias ADMINS = jsmith, mikem 
## Command Aliases 
## These are groups of related commands... 
## Specify an alias for a series of interrelated commands, which can of course be one, by giving sudo permission to the alias. 
## All the commands contained in the alias can be invoked through sudo. Here are some examples 
## Networking 
#Command aliases related to network operations 
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 
## Installation and management of software 
#Alias for commands related to software installation management 
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 
## Services #Service-related command aliases 
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 
## Updating the locate database #Local database upgrade command alias 
Cmnd_Alias LOCATE = /usr/sbin/updatedb 
## Storage #Command aliases related to disk operations 
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions 
#Agent permission related command aliases 
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
## Processes 
#Process-related command aliases 
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 
## Drivers #Driver Command Alias Cmnd_Alias DRIVERS = /sbin/modprobe 
#Configuration of environment variables 
# Defaults specification 
# 
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
# You have to run "ssh -t hostname sudo <cmd>". 
# Defaults requiretty Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" 
## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple 
## systems). 
## Here's the rule configuration: which users can execute which commands on which server (sudoers files can be shared across multiple systems) 
## Syntax: 
##grammar 
## user MACHINE=COMMANDS 
## User logged on to host= (transformable identity) commands that can be executed 
## 
## The COMMANDS section may have other options added to it. 
## The command section can be accompanied by some other options 
## 
## Allow root to run any commands anywhere 
## Allow root user to execute any command root ALL=(ALL) ALL under any path 
## Allows members of the 'sys' group to run networking, software, 
## service management apps and more. 
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS 
## Allow users in sys user groups to use commands configured in all aliases, such as NETWORKING 
## Allows people in group wheel to run all commands 
# %wheel ALL=(ALL) ALL ## Allow users in the wheel user group to execute all commands 
## Same thing without a password 
## Allow users in the wheel user group to use all commands without entering the user's password 
# %wheel ALL=(ALL) NOPASSWD: ALL 
## Allows members of the users group to mount and unmount the 
## cdrom as root 
## Allow users in the users group to use mount, unmount, chrom commands like root users 
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom 
## Allows members of the users group to shutdown this system 
# %users localhost=/sbin/shutdown -h now 
## Allow users in the users group to use the shutdown command like root users



As mentioned above:

The sudoers file consists of three main parts:

  • Defaults for sudoers, which mainly sets some defaults for sudo
  • Alias, mainly Host_Alias|Runas_Alias|Cmnd_Alias.
  • Security Policy (Rule Definition) - Focus

Each section is detailed as follows:

3.1 default section

Defaults !visiblepw 
# 
# Preserving HOME has security implications since many programs 
# use it when searching for configuration files. Note that HOME 
# is already set when the the env_reset option is enabled, so 
# this option is only effective for configurations where either 
# env_reset is disabled or HOME is present in the env_keep list. 
# 
Defaults always_set_home 
Defaults match_group_by_gid 
Defaults env_reset 
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"    Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

3.2 Host Alias

Host aliases are primarily used to create host groupings that give the group hosts access to which commands or command aliases. The basic idea is that the file is maintained by all hosts in the organization and then copied to / etc in each host. Some hosts, such as servers, can configure a group to give users access to specific commands. For example, you can start and stop similar HTTPD, DNS and network services; You can mount the system and so on.


## Host Aliases 
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2 
Host_Alias HOST1 = host1, host2 
Host_Alias HOST2 = host3,host4 
Host_Alias HOST1 = host1,host2 
HOST2=host3,host4 
##Line 7 is equivalent to lines 5 and 6.


3.3 User Alias

User aliases allow root to organize multiple users into a group and assign permissions to target users by group. This section is optional, defined as User_Alias group1=user1,user2 used%group1. We can also use groups defined in /etc/groups directly instead of using our own aliases.

## User Aliases ## These aren't often necessary, as you can use regular groups 
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS 
User_Alias group1 = user1, user2


3.4 Target Alias

Runas_Alias ex1=item_list

3.5 Naming Alias

This is to categorize some commands so that system administrators can effectively assign permissions.

## Command Aliases 
## These are groups of related commands... 
## Networking 
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 
## Installation and management of software 
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 
## Services 
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable 
## Updating the locate database 
# Cmnd_Alias LOCATE = /usr/bin/updatedb 
#Command Aliases 
## These are groups of related commands... 
## Command Aliases 
## These are groups of related commands... SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 
## Delegating permissions 
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
## Processes 
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 
## Drivers 
# Cmnd_Alias DRIVERS = /sbin/modprobe Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum


3.6 Security Policy (User Rules)

Rule of grammar:

User_List Host_List=(Runas_List1:Runas_List2) SELinux_Spec Tag_Spec Cmnd_List 
#User_ List (required): refers to who the rule is for 
#Host_ List (required): refers to the host from which the rule is intended for users 
#Runas_ List1 (optional): Indicates a user that can be switched with sudo-u 
#Runas_ List2 (optional): Indicates a user group that can be switched with sudo-g 
#SELinux_ Spec (optional): Indicates a SELinux-related option with an optional value of ROLE=role or TYPE=type. I'm not familiar with SELinux, so I'll add it later 
#Tag_ Spec (optional): Used to control subsequent Cmnd_List of options for which the following values are available are'NOPASSWD:'|'PASSWD:' |'NOEXEC:'|'EXEC:' |'SETENV:'|'NOSETENV:' |'LOG_ INPUT: '|'NOLOG_ INPUT: '|'LOG_ OUTPUT: '|'NOLOG_ OUTPUT:'|'MAIL:'|'NOMAIL:'| 
###Be careful#### 
##If Runas_Alias and Runas_Alias, if not filled in, defaults to root


Case 1:

user01 localhost=(root) NOPASSWD:/bin/more

#user1 users can execute as root without a password on their local machine/usr/local/bin/python

Case 2:

user01 localhost=(root) NOPASSWD:/bin/more PASSWD:/bin/less 
#user1 users can execute bin/more as root without a password on their local machine and less as root with a password

Case 3

slview localhost=(root) NOPASSWD:/usr/bin/passwd,!/usr/bin/passwd root #The slview user can execute the passwd program, but cannot modify the root password, prefixing the command with an exclamation mark to indicate that the program cannot be executed.


[root@ansible ~]# su - slview
[slview@ansible ~]$ sudo passwd root
Sorry, user slview is not allowed to execute '/bin/passwd root' as root on ansible.
[slview@ansible ~]$ sudo passwd yjtest
Changing password for user yjtest.
New password:
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.

The attempt to modify the root user password failed, and then the attempt to modify the yjtest password succeeded.

4. Other

Wildcards can only be used in the parameter list of host name, file path, command line. Here are the available wildcards:

*: Match any number of characters

?: Match an arbitrary character

[...]: Matches a character in range

[!...]: Matches a character that is not in range

\x: used to escape special characters

When using wildcards, there are the following considerations:

1. When using wildcards such as [:alpha:], escape the colon':', such as: [:alpha:]

2. When wildcards are used for file paths, they cannot be matched across'/', for example: /usr/bin/* can match/usr/bin/who but cannot match/usr/bin/X11/xterm

3. If the parameter list of an instruction is "", match the instruction that does not contain any parameters.

4. The keyword ALL means to match everything.

Posted on Thu, 02 Dec 2021 14:26:17 -0500 by lostboy