Usage of sudo command alias and it various useful features with examples given.

Syntax

                Cmnd_Alias        NAME   =   cmnd1, cmnd2, cmnd3 ….

To define command alias in sudoers file must remember two hard coded rules

1. Alias name should be defined in uppercase letters and can contain number, alphabet and underscore (_). Alias name must start with alphabet.

                NAME = [A-Z]([A-Z][0-9]_)

2. Commands must be specified in absolute path format.

Command alias can be mapped to either user or group.

Example1

User “romeo” should be able to create new user and password.

               ROMEO_CMDS  =  /usr/sbin/useradd, /usr/bin/passwd

               romeo                  ALL =  (ALL)         ROMEO_CMDS

Here mentioning relative path or just direct command (passwd, useradd) will make sudo non-functional.

The same can be defined using user id by adding hash (#) as prefix.

               #502      ALL = (ALL)          ROMEO_CMDS

Example2

Grant same privileges to group “tree”

               %tree    ALL = (ALL)          ROMEO_CMDS

Advanced option

Grant access to execute all the commands in a directory. Directory name must be full path and should end with slash (/). The trailing slash used by system to identify either it is a command or directory.

                Cmnd_Alias        APP_CMDS = /opt/was/bin/

Multiple different command aliases can be defined at once using colon (:)

               Cmnd_Alias        APP_CMDS =  /usr/bin/passwd, /sbin/service httpd *, /sbin/ifconfig : DB_CMDS = /bin/su – oracle, /home/oracle/crsstart : ADMIN_CMDS = /sbin/, /usr/sbin/

               %app1                   ALL = (ALL)          APP_CMDS

               dbuser                  ALL = (ALL)          DB_CMDS

               %admins              ALL = (ALL)          ADMIN_CMDS

Use exclamation (!) symbol for negative notation.

Placing commands inside double quote (“) says strictly stick with command and do not accept any argument.

                  mala      ALL = (ALL)          /sbin/, ! /sbin/init

Here user mala allowed running any command inside /sbin directory but not “init”.

                  fry          ALL = (root)        /bin/su [!-]*[!root]*

Using exclamation symbol can restrict at argument level. Above allows user fry to run /bin/su command with root privileges. Same time it restricts using any options/argument and login to root.

One command alias can be referred into another command alias.

                  Cmnd_Alias        SUN =      /usr/bin/passwd

                  Cmnd_Alias        SWE =      /usr/sbin/useradd, SUN

To say sudo to should not accept any argument but only just execute command, append double quote at end. (“”)
                  swe        ALL = (ALL)          /sbin/hwclock “”
User swe can see hardware clock time but will not be able to modify any settings.