Giving ordinary users root privileges, selectively

Posted by Steve on Sat 16 Oct 2004 at 15:46

Many times on a multi-user system it would be nice to allow particular users to do things that require root privileges without having to give them the root password. There are several tools which will solve this problem, the most well known tool for this purpose is called sudo.

sudo is a portable application for giving users selectively increased permissions.

The Debian sudo package is available for all the releases and will setup a minimal configuration file when it is installed.

sudo is configured entirely through the file /etc/sudoers. This file controls the commands which users are allowed to run.

Whilst the program is flexiable enough to allow users to be given the ability to run commands as any local user it is typically used to give root privileges for commands.

This is the default sudoers configuration:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

The configuration is blank here, the last line being the only one which isn't a comment.

(The last line basically says that the root user can run any command).

To give a local user the ability to shut down a computer you would need to add two sections. One to define the shutdown command which you wished the user to be able to execute - the second to define the user(s) which could run this command.

First in the command section we define a new alias which represents the shutdown command:

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/shutdown

Then in the users section we will define a user who will be able to execute this command:

skx ALL = SHUTDOWN

This says that the user "skx" on the machine "ALL" (ie. this machine) can run the command defined as SHUTDOWN.

This user can now shutdown the machine by running:

skx@lappy:~$ sudo shutdown -h now

The sudo program will prompt the user for their own password, not root's, and then execute the command. The command will be logged via syslog.

If you wish you can setup sudo so that users don't even need to enter their own password, by using "NOPASSWD:" as follows:

skx ALL = NOPASSWD: SHUTDOWN

As you can see "ALL" is defined for us, here we see it as representing all hostnames, but you can also use it to define all commands.

The following setting will allow the local user skx to run any command as root - this is very very permissive and is equivilent to allowing them to have root privileges.

skx ALL = ALL

In a group setting you might want to define a group of people who are able to perform some administration without knowing the root password. This can be achieved by defining a group:

# User alias specification
User_Alias      ADMINS = skx,bob,chris

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/shutdown
Cmnd_Alias      APT = /usr/bin/apt-get, /usr/bin/dpkg

# full time sysadmins can run updates and shutdown the machine.
ADMINS      ALL = APT, SHUTDOWN

This example shows that three users, skx, bob, and chris, can update the machine using either apt or dpkg, and shutdown the machine. Any of these operations can be conducted without having the root password.

Note allowing users to run apt and dpkg is equivilent to giving a user root privileges, as packages can be installed which will subvert the system.

Even in a single user system sudo is worth using, the following settings, for example, will allow you to run any command as root - without having to use su or constantly type in your root password:

# User alias specification
User_Alias      OWNER = skx

# User privilege specification
OWNER ALL= NOPASSWD:  ALL

No more needing to use the root password, and full command logging via syslog.

 

 


Posted by Anonymous (194.246.xx.xx) on Thu 23 Jun 2005 at 16:08
I suppose to use rootsh (which can be found at rootsh.sourceforge.net), a wrapper around a shell which sends in/output to syslog.
You create an entry in /etc/sudoers like:
trusted_user host_or_ALL = /bin/rootsh

Your user now types "sudo rootsh" and will find himself in a root shell, as if he typed "su -" or "sudo -s". The advantage is, everything he types will be sent to syslog. So if he breaks something and denies it, you show him the logfiles from your syslog server. Believe me, you can avoid a lot of quarrels this way.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.115.xx.xx) on Sat 15 Sep 2007 at 16:38
The last example seems to go against everything I thought I understood about privilege separation. There is a reason why not even the single user on a private computer uses root as their normal account. Why would you want to bypass that layer of protection against fatal mistakes? Please at least mention that this is a very bad idea...

[ Parent | Reply to this comment ]

Posted by Anonymous (213.115.xx.xx) on Sat 15 Sep 2007 at 17:58
Erm... I just realized that you still need to start your commands with 'sudo' to get root privs. I take everything back and claim the opposite... :-)

[ Parent | Reply to this comment ]

Posted by Anonymous (189.133.xx.xx) on Tue 4 Dec 2007 at 14:16
Hi,

New to all of this so do bear with me.

If it is a bad idea to allow root access to ssh (which I read about and so deny on my server) and then allow my user to have access to all of the things root can do through sudo, this means that someone only needs access to my account, and to know to type sudo, and they have full root access to my machine.

If you use su root instead; this would mean someone would have to have access to not only my account, but the root password too to perform any dangerous ops.

I know the world is not perfect and if you have many users on a machine, you don't want them to have the root password and sudo seems a good way to set up permissions; but seen as I am the only administrator; it is not better to have two layers of protection by forcing me to type in the root password instead of one?

Thoughts?

Cheers,
Paul

[ Parent | Reply to this comment ]

Posted by macdebian (189.133.xx.xx) on Tue 4 Dec 2007 at 14:47
[ Send Message ]
Oh, and if anyone wants to reply to this saying that's a load of $$%$, you should never use root, could you please say how you would set things up for a single user system?

I host/will be hosting multiple domains but use virtual users for both ftp and email and have no need to give anyone shell access.

In this case; I am the single user/admin on the machine. To not use root and to get around the fact that sudo effectively makes me root on my machine (the way I have configured it), would anyone suggest creating a number of accounts with specific privileges in sudo then su'ing to each account to perform specific tasks?

That would mean someone would have to know an awful lot about my system to do anything bad, but is also a pain the ar$e when administering my system.

Too much hassle and the main aim is to keep my password safe so no one gets on my machine and continue allowing my user to be root? :)

Appreciate some feedback;
All the best

[ Parent | Reply to this comment ]

Posted by Anonymous (206.127.xx.xx) on Tue 4 Dec 2007 at 16:51
Yes, this bothers me too ...

The "solution" is to make a few modifications ....

1. Set a root password

2. Edit /etc/passwd and change root 's shell from /bin/bash to /bin/false

3. Make sure your administrative user has full access to root via sudo.

4. Add, or modify, the line "Defaults" ; add rootpw (options are comma delineated)

Defaults !lecture,tty_tickets,!fqdn,insults,rootpw

You will now need to enter a root password for sudo access.

5. Specify user access as above, they will need to use the root password.

6. If you need a root shell, you will need to

sudo /bin/bash (and I advise you also source /root/.bashrc)

[ Parent | Reply to this comment ]

Posted by macdebian (189.133.xx.xx) on Tue 4 Dec 2007 at 19:35
[ Send Message ]
Ah great; I was going to ask if it was possible to force the password to be that of root and not the actual user; that gives me the 2 layer protection I was looking for; only my admin user has ssh access and I need to know the root pwd to do anything dangerous, without having to su to root. All good.

One thing; why turn off the shell from root? If only my admin user can ssh in to the system, would that not be adequate security? I have done step 4 onwards for now.

Cheers,
Paul

[ Parent | Reply to this comment ]

Posted by Anonymous (59.101.xx.xx) on Thu 11 Mar 2010 at 06:02
WATE UP NICE NAME LALA

[ Parent | Reply to this comment ]

Posted by Anonymous (64.129.xx.xx) on Fri 17 Sep 2010 at 21:13
I'm not an advocate of the '2 layer' protection indicated above, as I'd rather not give root out to anyone else, if it can be helped. Sudo allows me to do this by requesting their password instead of root's. In the sudo file, cmnd aliases can be used to limit the commands to not just any sudo'ed user to do *anything* they want to the system. This is my preference... Restrict commands by roles.

Here's the sudoers file that I just set up:


# Cmnd alias specification
Cmnd_Alias PAGERS=/bin/cat,/usr/bin/less,/usr/bin/most,/usr/bin/tail
Cmnd_Alias GREPPERS=/bin/grep,/bin/egrep
Cmnd_Alias LISTERS=/bin/ls

%sysadmin ALL=(ALL) ALL, NOPASSWD: LISTERS,PAGERS,GREPPERS

.. this does not restrict root as I mentioned above, but that's not a concern for me here. What I show that I don't see on this page yet is the use of groups for sudo.

[ Parent | Reply to this comment ]

Posted by Anonymous (210.212.xx.xx) on Fri 14 Aug 2009 at 13:33
i want to thank u

[ Parent | Reply to this comment ]

Posted by Anonymous (63.133.xx.xx) on Fri 1 Apr 2011 at 16:15
once you have used

user ALL=(ALL) ALL

shouldnt that user now be able to edit files? when I log in with my user I can not edit files in var/www or anywhere other than his own folder... :(

I am installing debian lenny on a cloudserver and am trying to create a user other than root to edit the files.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.173.xx.xx) on Sun 20 Nov 2011 at 16:33
You should also mention that a user can be added to the sudo group.
usermod -a -G sudo USERNAME

After logging out and in again a user should have sudo privs due to the following directive in /etc/sudoers:
%sudo ALL=(ALL) ALL

[ Parent | Reply to this comment ]

Posted by Anonymous (96.25.xx.xx) on Wed 11 Apr 2012 at 06:02
This explanation is great except for one thing, it doesn't say how to access the sudoers file. I open my terminal, then what.

[ Parent | Reply to this comment ]

Posted by Anonymous (72.8.xx.xx) on Wed 10 Oct 2012 at 15:12
visudo

[ Parent | Reply to this comment ]

Posted by Anonymous (96.231.xx.xx) on Thu 31 Oct 2013 at 17:08
What a runaround. Should be an option at installation to give user sudo privilages.

Here is the easy way. Skip all of the stuff in this article.

su root
# type in your root password. Password will not appear.
apt-get install sudo
adduser your_user_name sudo

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1604 votes ~ 7 comments )