/usr/local/bin/checkstatus as the user scott :
chris ALL=(scott) NOPASSWD:/usr/local/bin/checkstatus
chris can then use sudo with the -u option to specify the desired user ID:
$ sudo -u scott checkstatus
Replacing the command list with the word ALL will include all commands. For example, this entry permits chris to execute any command or script as root :
chris ALL=ALL
Permitting unrestricted access to all commands through sudo is equivalent to giving away the root password. A root user can compromise the system at very basic levels, making it impossible to later secure the system, even if you cut off that user's access.
For convenience, you can define groups of users, hosts, or commands and then reference those in entries. This is done by using the User_Alias , Host_Alias , and Cmnd_Alias statements.
For example, to define a group of administrators and permit them to run the ifconfig and route commands as root on any of a group of desktop systems, you could use a configuration file like this:
User_Alias ADMINS=sally,harry,jason
Host_Alias ADMINDESKTOPS=yellow.fedorabook.com,orange.fedorabook.com
Cmnd_Alias NETCONFIG=ifconfig,route
ADMINS ADMINDESKTOPS=NETCONFIG
The sudo program executes with root privilege. If you view the permissions on the binary, you will see that the set-user-ID permission bit is enabled (note the s in the user community permissions):
$ ls -l /usr/bin/sudo
---s--x--x 2 root root 106832 Feb 12 04:41 /usr/bin/sudo
Since this bit is set and the file is owned by root , it executes with root 's privilege.
sudo checks the /sbin/sudoers file to determine if and how it should run the requested command. It requests a password if necessary, and then either denies execution or changes the effective user ID to the specified value (or leaves it as root ) and executes the requested command.
When the user is prompted forand successfully entersher password, sudo updates a timestamp file in /var/run/sudo . The next time sudo is executed, the timestamp is checked, and if it is less than five minutes old, the user is not prompted for her password again. The timestamp is then updated.
The value of sudo lies in the ability to permit a user to execute specific commands with privilege. However, it's easy to accidentally misconfigure sudo to permit more access than intended.
For example, if you wish to permit frank to view text files owned by jenny , you could create the sudoers entry:
frank ALL=(jenny) NOPASSWD:/usr/bin/less
But the less command permits the user to access the shell by typing ! , and frank can use this loophole to execute any command as though he were jenny :
frank$ sudo -u jenny less /home/jenny/.bash_profile
...(Normal output of less)...
!
$ id
uid=508(jenny) gid=508(jenny) groups=508(jenny)
$ mail -s [email protected]
Subject: I Quit I quit because you are a hateful, mean boss. -Jenny .
Cc:
Enter
$ rm -rf /home/jenny/*
$ exit
...(Normal output of less)...
It can be useful to configure sudo for ALL commands for users that already have the root password because it encourages good practice, especially when used without the NOPASSWD option. The benefits of this configuration are:
? A user can assume root privilege from time to time only when it is necessary, operating without root privilege the majority of the time. Compared to the use of a root shell, this practice reduces the likelihood that a command will accidentally be executed with privilege.
? If the user steps away from the display while a shell is open, root access is not exposed.
? The user must enter a password to escalate privilege but does not have to enter the password for each individual privileged command in a series.
? The act of typing sudo in front of privileged commands serves to remind the user to check the command carefully.
8.5.3.1. ...changing the password timeout?
By default, sudo won't prompt the user for their password as long as they have entered it successfully in the last five minutes. To change this value, add this entry to the top of the /etc/sudoers file:
Defaults timestamp_timeout= 2
