Friday, June 22, 2007

Giving ordinary users root privileges

Many times on a multi-user system it would be nice to allow particular users to do things that require root privileges without having to give them the root password. There are several tools which will solve this problem, the most well known tool for this purpose is called sudo.

sudo is a portable application for giving users selectively increased permissions.

The Debian sudo package is available for all the releases and will setup a minimal configuration file when it is installed.

sudo is configured entirely through the file /etc/sudoers. This file controls the commands which users are allowed to run.

Whilst the program is flexiable enough to allow users to be given the ability to run commands as any local user it is typically used to give root privileges for commands.

This is the default sudoers configuration:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

The configuration is blank here, the last line being the only one which isn't a comment.

(The last line basically says that the root user can run any command).

To give a local user the ability to shut down a computer you would need to add two sections. One to define the shutdown command which you wished the user to be able to execute - the second to define the user(s) which could run this command.

First in the command section we define a new alias which represents the shutdown command:

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown

Then in the users section we will define a user who will be able to execute this command:

skx ALL = SHUTDOWN

This says that the user "skx" on the machine "ALL" (ie. this machine) can run the command defined as SHUTDOWN.

This user can now shutdown the machine by running:

skx@lappy:~$ sudo shutdown -h now

The sudo program will prompt the user for their own password, not root's, and then execute the command. The command will be logged via syslog.

If you wish you can setup sudo so that users don't even need to enter their own password, by using "NOPASSWD:" as follows:

skx ALL = NOPASSWD: SHUTDOWN

As you can see "ALL" is defined for us, here we see it as representing all hostnames, but you can also use it to define all commands.

The following setting will allow the local user skx to run any command as root - this is very very permissive and is equivilent to allowing them to have root privileges.

skx ALL = ALL

In a group setting you might want to define a group of people who are able to perform some administration without knowing the root password. This can be achieved by defining a group:

# User alias specification
User_Alias ADMINS = skx,bob,chris

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown
Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg

# full time sysadmins can run updates and shutdown the machine.
ADMINS ALL = APT, SHUTDOWN

This example shows that three users, skx, bob, and chris, can update the machine using either apt or dpkg, and shutdown the machine. Any of these operations can be conducted without having the root password.

Note allowing users to run apt and dpkg is equivilent to giving a user root privileges, as packages can be installed which will subvert the system.

Even in a single user system sudo is worth using, the following settings, for example, will allow you to run any command as root - without having to use su or constantly type in your root password:

# User alias specification
User_Alias OWNER = skx

# User privilege specification
OWNER ALL= NOPASSWD: ALL

No comments: