sudo

Infrastructure

UNIX

UNIX Security

UNIX Users

Version

Usage

Configuration & Logging

Running commands as non-login users

Examples

Bibliography

Version

sudo --version

Usage

sudo -l

Shows what commands you can run

Matching Defaults entries for myuser on myserver: logfile=/var/log/sudo.log, !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=CONTROL_ROOT, env_keep+=http_proxy, env_keep+=https_proxy, env_keep+=ORACLE_HOME, env_keep+=TNS_ADMIN, env_keep+=DST_REPO_CPAN
User myuser may run the following commands on myserver: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: /bin/vi /etc/my.cnf, /bin/mkdir *, /bin/systemctl enable *, /bin/systemctl disable *, /bin/systemctl status *, /bin/systemctl stop *, /bin/systemctl start *, /bin/journalctl -xe, /usr/bin/mysql * *, /bin/cat *, /bin/zcat *, /usr/bin/mysql_secure_installation, /usr/bin/less *, /usr/bin/more *, /bin/du * *, /bin/yum install *, /bin/yum erase *, /bin/grep * *, /bin/vi /etc/yum.repos.d/paragon.repo, /bin/yum clean all, /bin/dnf module list, /bin/dnf module list, /bin/su - mysql, /usr/sbin/usermod mysql -s /bin/*, /bin/chown mysql* /*, /bin/chown -R mysql* /*, /bin/hostnamectl status

Configuration & Logging

Configuration is held in:

/etc/sudoers

You should edit this file with:

visudo

On OEL7, the sudo log is found in:/var/log/secure

On AIX, the sudo log is found in:/var/log/sudo.log

To check

cat /var/log/secure | grep patcher

Apr 28 17:25:22 delphi sudo: oracle : TTY=pts/0 ; PWD=/mnt/u01/dba/patcher ; USER=root ; COMMAND=/u01/dba/patcher/perms.shApr 28 17:25:46 delphi sudo: oracle : command not allowed ; TTY=pts/0 ; PWD=/mnt/u01/dba/patcher ; USER=root ; COMMAND=/bin/ls

Running commands as non-login users

For example, when you install MySQL/Percona Server using yum, by default you get a 'mysql' user with a login shell of /bin/false. It seems like good security to keep things like this. But, what can you do if you need to run something as 'mysql', like cron scheduling a backup? ...

sudo -u mysql -s crontab -l

Examples

Add a user to the sudo group to allow them to run any command...

usermod -a -G sudo myuser

Assumes this default line is present in /etc/sudoers...%sudo ALL=(ALL:ALL) ALL

Add this line to the /etc/sudoers file (using visudo) to allow user 'oracle' to run /u01/dba/patcher/perms.sh as 'root' on the host 'delphi' without needing a password...

oracle delphi = (root) NOPASSWD: /u01/dba/patcher/perms.sh

Bibliography

https://www.sudo.ws/https://linuxhint.com/sudo_linux/https://linux.die.net/man/8/sudo