Usage of sudo command alias and it various useful features with examples given.
Cmnd_Alias NAME = cmnd1, cmnd2, cmnd3 ….
To define command alias in sudoers file must remember two hard coded rules
- Alias name should be defined in uppercase letters and can contain number, alphabet and underscore (_). Alias name must start with alphabet.
NAME = [A-Z]([A-Z][0-9]_)
- Commands must be specified in absolute path format.
Command alias can be mapped to either user or group.
User “romeo” should be able to create new user and password.
ROMEO_CMDS = /usr/sbin/useradd, /usr/bin/passwd
romeo ALL = (ALL) ROMEO_CMDS
Here mentioning relative path or just direct command (passwd, useradd) will make sudo non-functional.
The same can be defined using user id by adding hash (#) as prefix.
#502 ALL = (ALL) ROMEO_CMDS
Grant same privileges to group “tree”
%tree ALL = (ALL) ROMEO_CMDS
Grant access to execute all the commands in a directory. Directory name must be full path and should end with slash (/). The trailing slash used by system to identify either it is a command or directory.
Cmnd_Alias APP_CMDS = /opt/was/bin/
Multiple different command aliases can be defined at once using colon (:)
Cmnd_Alias APP_CMDS = /usr/bin/passwd, /sbin/service httpd *, /sbin/ifconfig : DB_CMDS = /bin/su – oracle, /home/oracle/crsstart : ADMIN_CMDS = /sbin/, /usr/sbin/
%app1 ALL = (ALL) APP_CMDS
dbuser ALL = (ALL) DB_CMDS
%admins ALL = (ALL) ADMIN_CMDS
Use exclamation (!) symbol for negative notation.
Placing commands inside double quote (“) says strictly stick with command and do not accept any argument.
mala ALL = (ALL) /sbin/, ! /sbin/init
Here user mala allowed running any command inside /sbin directory but not “init”.
fry ALL = (root) /bin/su [!-]*[!root]*
Using exclamation symbol can restrict at argument level. Above allows user fry to run /bin/su command with root privileges. Same time it restricts using any options/argument and login to root.
One command alias can be referred into another command alias.
Cmnd_Alias SUN = /usr/bin/passwd
Cmnd_Alias SWE = /usr/sbin/useradd, SUN
To say sudo to should not accept any argument but only just execute command, append double quote at end. (“”)
swe ALL = (ALL) /sbin/hwclock “”
User swe can see hardware clock time but will not be able to modify any settings.