Sudoers

 Here i will put helpful info regarding "sudoers" file.

User interaction

See which commands you may run (and as which user)         sudo -l

Check if you may run a specific command                              sudo -l /usr/bin/top

Run command as root                                                               sudo command

Run a command as another user                                              sudo -u user command

With privilege, see which commands another user may run   sudo -U user -l

Sudoers File Format The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications  (which specify who may run what). When multiple entries match for a user, they are applied in order. Where there are multiple matches,  the last match is used (which is not necessarily the most specific match).  Aliases There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | 'Host_Alias' Host_Alias (':' Host_Alias)* | 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*    User aliases Users and groups of users must be referenced by user and groups of users only. Each "level" of User_Alias must include all of the "lower" (in terms of access, not necessarily  numerically) levels of access for that group. UNIX groups defined by LDAP must be used rather than listing individual users. Listing individual users  is allowed for special system users only. A subgroup of users that needs to perform certaint role may be  defined on rare ocasion. Following rules apply to each User_Alias definition. Alias name: Must begin with a CAPITAL letter. May contain CAPITAL letters, numbers, and underscores(_) in their name only. Alias definition: May be an user: john May be a group (preceded by %): %superadmins May be a User_Alias: ADMINS May be a combination of any of the above, multiples are comma-space separated: ADMINS, %superadmins, bill, bob, john May use negation with !: %superadmins, bill, bob, !ADMINS, !john

Host aliases Following rules apply to each Host_Alias definition. Alias name: Must begin with a CAPITAL letter. May contain CAPITAL letters, numbers, and underscores(_) in their name only. Alias definitions: May be a machine name returned from the command hostname. May be IP addresses or CIDR (will match any IP on any real interface on the machine except loopback): 10.24.0.5 or 10.24.0.0/30 May be a Host_Alias: SAO May be a glob: dns*, ns?, host9[0-7] May be a combination of any of the above, multiples are comma-space separated: SAO, server1, www9[0-7], samson, 10.24.0.0/30, 10.24.0.5 May use negation with !: SAO, server1, www9[0-7], !samson, !10.24.0.0/30, !10.24.0.5

Runas aliases Following rules apply to each Runas_Alias definition. Alias name: Must begin with a CAPITAL letter. May contain CAPITAL letters, numbers, and underscores(_) in their name only. Alias definition: Is another valid user on the system contained in parenthesis by default: (oracle) May specify a group by being preceded by a colon: (:dba) May be a combination of any of the above, multiples are comma-space separated: (oracle, postgres, mysql, :dba) May use negation with !: (oracle, postgres, :dba, !mysql) Command aliases Each command should have its own Cmnd_Alias before being included in a Cmnd_Alias that is a list.  This allows for not having to re-create similar Cmnd_Alias for very minor different needs. Inherit/build-upon Cmnd_Alias when possible Following rules apply to each Cmnd_Alias definition. Alias name: Must begin with a CAPITAL letter. May contain CAPITAL letters, numbers, and underscores(_) in their name only. Alias definitions: Must use full path definition: /usr/bin/top May be a Cmnd_Alias: TOP May be a glob. Globs do not match "/", "/usr/bin/*" will not match "/usr/bin/X11/*". These must be specified separately. May be a combination of any of the above, multiples are comma-space separated: (TOP, /bin/cat, /usr/bin/*) Should not use negation!   Real world example Users "user1" and "user2" needs to run "/usr/sbin/acdc" command, with arguments "start", "stop"  and "running", as the user "root" on the hostnames matching "dns*". This request translates to sudo rule: user1,user2 dnsdelta,dnsnovember,dnssierra = (root) /usr/sbin/acdc start, /usr/sbin/acdc stop, /usr/sbin/acdc running user1,user2 dnsdelta,dnsnovember,dnssierra = (root) /usr/sbin/acdc (start)? (stop)? (running)?   If users requesting access are all in the system group "dnsadmins", we could write the above rule shorter: %dnsadmins dns* = (root) /usr/sbin/acdc start, /usr/sbin/acdc stop, /usr/sbin/acdc running If the group "dnsadmins" doesn't exist, we can also define an alias within sudo: User_Alias DNSADMINS = user1, user2 DNSADMINS dns* = (root) /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running Perhaps our DNS servers aren't as nicely named as dns*, a host alias may be used: Host_Alias DNSSERVERS = dns*, strangehostnamedns DNSADMINS DNSSERVERS = (root) /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running We can also alias commands: Cmnd_Alias NSDC_STOPSTART = /usr/sbin/nsdc start, /usr/sbin/nsdc stop, /usr/sbin/nsdc running DNSADMINS DNSSERVERS = (root) NSDC_STOPSTART Which takes us to the final ruleset: # Aliases User_Alias DNSADMINS = user1, user2 Host_Alias DNSSERVERS = dns*, strangehostnamedns Cmnd_Alias NSDC_STOPSTART = /usr/sbin/acdc (start)? (stop)? (running)? # Commands # USERS HOSTS = (RUNAS) COMMANDS DNSADMINS DNSSERVERS = (root) NSDC_STOPSTART   /usr/sbin/acdc (start)? (stop)? (running)? before ? means can be exist or not