Sudoers File parsing

Category: LINUX

today in the user group to add a new ordinary user, start this user does not have sudo permission, so through sudo visudo modified sudo configuration file, give ordinary user root privileges. Then I thought I could change the access of the/etc/sudoers file to 777 and edit the file directly. So I didn't want to do it. After the result has been changed, found himself dug a hole, blocking himself in the door of sudo.
/etc/sudoers is a configuration file for sudo, and its properties must be 440. When I use sudo chmod 777/etc/sudoers to modify the access rights of the sudoers file, sudo is no longer available. Again want to modify the file sudoers access via sudo chmod 440/etc/sudoers, or the result hint when using sudo: sudo:/etc/sudoers is mode 0777, should be 0440. So he locked himself out of Sudo's door. It is not possible to use sudo su or sudo-i to cut to the root user. You can also switch to root with Su root. This allows you to modify the access rights of the/etc/sudoers file. The problem is solved.

Later on the Internet to find an analysis of the sudoers file, here is posted below.

Sudo is a tool that allows the system administrator to let ordinary users perform some or all of the root commands, such as HALT,REBOOT,SU, and so on. This not only reduces the login and administration time of the root user, but also improves security. sudo is not a substitute for the shell, it is for each command. There are several main features of this:
§sudo can restrict users from running certain commands on a single host.
§sudo provides a rich log of what each user has done in detail. It can upload logs to a central host or log server.
§sudo uses a timestamp file to perform a similar "ticket-check" system. When the user calls sudo and enters its password, the user obtains a ticket with a survival period of 5 minutes (this value can be changed at compile time).
The §sudo configuration file is a sudoers file that allows system administrators to centrally administer user permissions and use the host. The location where it is stored defaults to/etc/sudoers, and the attribute must be 0411.
Edit configuration File command: Visudo
Default configuration file location:/etc/sudoers
[Email protected] ~]# cat/etc/sudoers
# sudoers file.
#
# This file must is edited with the ' Visudo ' command as root.
#
# See the Sudoers Mans page for the details about how to write a sudoers file.
#
# Host alias Specification
# User alias Specification

# CMND alias Specification

# Defaults Specification

# Runas alias Specification

# User Privilege Specification
Root all= (All) all

# Uncomment to allow people in group wheel to run all commands
#%wheel all= (All) all

# same thing without a password
#%wheel all= (All) Nopasswd:all

# Samples
#%users All=/sbin/mount/cdrom,/sbin/umount/cdrom
#%users Localhost=/sbin/shutdown-h Now
[Email protected] ~]#

You can use Visudo to edit the sudoers configuration file, but you can also directly modify the sudoers file implementation, but before editing it is best to look at its sample.sudoers file, there is a very detailed example can be consulted.
# The first part: User-defined, divides the user into fulltimers, parttimers and webmasters three categories.
User_alias fulltimers = Millert, MIKEF, dowdy
User_alias parttimers = Bostley, Jwfox, crawl
User_alias webmasters = would, Wendy, Wim
# The second section classifies the operation types.
Runas_alias OP = root, operator
Runas_alias DB = Oracle, Sybase
#第三部分, categorize the hosts. These are all casually divided, the purpose is to better manage.
Host_alias SPARC = bigtime, Eclipse, MOET, anchor: \
SGI = Grolsch, dandelion, black: \
ALPHA = widget, thalamus, foobar: \
HPPA = Boa, nag, python
Host_alias cunets = 128.138.0.0/255.255.0.0
Host_alias csnets = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_alias SERVERS = master, mail, www, NS
Host_alias CDROM = Orion, Perseus, Hercules
# Part IV, defining the command and command path. command must use absolute path, to avoid other directories with the same name command is executed, resulting in security risks, so the use of the time is also used absolute path!
Cmnd_alias dumps =/USR/BIN/MT,/usr/sbin/dump,/usr/sbin/rdump,\
/usr/sbin/restore,/usr/sbin/rrestore
Cmnd_alias KILL =/usr/bin/kill
Cmnd_alias PRINTING =/USR/SBIN/LPC,/USR/BIN/LPRM
Cmnd_alias SHUTDOWN =/usr/sbin/shutdown
Cmnd_alias HALT =/usr/sbin/halt,/usr/sbin/fasthalt
Cmnd_alias REBOOT =/usr/sbin/reboot,/usr/sbin/fastboot
Cmnd_alias shells =/usr/bin/sh,/usr/bin/csh,/usr/bin/ksh, \
/USR/LOCAL/BIN/TCSH,/usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_alias SU =/usr/bin/su
# Here is a different strategy for different users, such as the default all syslog directly through the auth output. The Fulltimers group does not have to see Lecture (the message generated at the first run); the user millert use sudo without entering a password, and the logfile path is/var/log/sudo.log and must be included in each row of logs.
Defaults Syslog=auth
Defaults:fulltimers!lecture
Defaults:millert!authenticate
[email protected]Log_year, Logfile=/var/log/sudo.log
Members of the #root and wheel groups have any rights. If you want to define a group of users, you can set it up by adding% to the group name.
Root all = (all) all
%wheel all = [All] All
#fulltimers can run any command on any host without entering its own password
Fulltimers all = Nopasswd:all
#parttimers can run any command on any host, but must first verify its own password.
Parttimers all = All
#jack can run any command in the defined csnet (128.138.243.0, 128.138.242.0, and 128.138.204.0/24 subnets), but note that the first two do not need to match the subnet mask, and the latter must match the mask.
Jack Csnets = All
#lisa can run any command on a host in a subnet defined as Cunets (128.138.0.0).
Lisa Cunets = All
#用户operator可以运行DUMPS, Kill,printing,shutdown,halt,reboot, and all commands in/usr/oper/bin.
operator all = dumps, KILL, PRINTING, SHUTDOWN, HALT, reboot,\
/usr/oper/bin/
#joe can run the SU operator command
Joe all =/usr/bin/su operator
#pete can change the password for users other than root.
Pete HPPA =/usr/bin/passwd [a-z]*,!/USR/BIN/PASSWD Root
#bob can run commands like root and operator on SPARC and SGI machines and in the OP user group.
Bob SPARC = (OP) all:sgi = (OP) all
#jim can run any command in the Biglab Network group. sudo default "+" is a network group to prefix.
Jim +biglab = All
# in Secretaries users help manage printers, and can run AddUser and Rmuser commands.
+secretaries all = PRINTING,/usr/bin/adduser,/usr/bin/rmuser
#fred can run Oracle or Sybase databases directly.
Fred all = (DB) nopasswd:all
#john can be on the Alpha machine, su except root for everyone.
John ALPHA =/usr/bin/su [!-]*,!/usr/bin/su *root*
#jen can run any command on a machine other than the servers host group.
Jen All,! SERVERS = All
#jill can run all commands in/usr/bin/except the SU and Shell commands on servers.
Jill SERVERS =/usr/bin/,! Su! Shells
#steve can be any command within a/usr/local/op_commands/that a normal user runs on a csnets host.
Steve Csnets = (operator)/usr/local/op_commands/
#matt can run the kill command on his personal workstation.
Matt Valkyrie = KILL
Users in the #webmasters user group can run any command with the user name of www or su www.
Webmasters www = (www) all, (root)/usr/bin/su www
# Any user can mount or umount a CD-ROM on the CDROM host without entering a password.
All CDROM = nopasswd:/sbin/umount/cdrom,\
/sbin/mount-o Nosuid\,nodev/dev/cd0a/cdrom

III, using
Directive name: sudo
usage rights: Users who appear in/etc/sudoers
Usage: sudo-v
Sudo-h
Sudo-l
sudo-v
sudo-k
sudo-s
sudo-h
sudo [-b] [-P prompt] [-u username/#uid]-s
Usage: su Do command
Description: Executes the instruction as a system administrator, that is, the instruction executed via sudo is as if the root executed the
parameter:
-v Display version number
-H displays the version number and instructions for how to use
-l display The permissions of the user (who is executing sudo)
-v because Sudo does not execute at the first execution or in n minutes (n preset is five) will ask the password, this parameter is to reconfirm, if more than n minutes, will also ask the password
-K will force the user to the next execution Sud O Time-to-ask password (whether or not more than N minutes)
-B will execute the instruction in the background execution
-p prompt can change the prompt to ask the password, where%u will be substituted for the user's account name,%h will display the hostname
-u username/#uid not added This parameter, which represents the execution of the instruction as root, can execute the instruction as username (#uid the user number of the username)
-S executes the shell specified by the shell in the environment variable, or/ETC/PASSW The shell
-H specified in D specifies the home (home directory) in the environment variable as the user's home directory where the identity is to be changed (such as the System Manager root without the-u parameter)
command to execute as a system administrator (or change to someone else with-u) Example:
sudo-l lists current permissions
Sudo-v lists the version information for sudo
Directive name: sudoers (This command cannot be found under FC5, but it can be used with man.)
to display a user who can use sudo

Sudoers File parsing