Sudo - An advanced howto

]$ su -
Password: 

]# visudo
note: always use visudo to edit the sudoers file, it checks for syntax errors on exit.

Do not use vi, nano, emacs or other text editors to edit this file. Use only visudo since it
checks for syntax errors before exiting and is the preferred tool for editing the sudoers file.

We will be approaching this from a 1 server, multiple users standpoint.
To begin editing this file press "i" and use the arrow keys to navigate to the desired
location you wish you alter, when you're finished hit the "esc" key, then :wq <enter>
##########################################################################################

As the sudoers file states, I advise against using User_Alias in favor of %groupname:

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
###########################################################################################
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.
The Cmnd_Alias section lets us define exact commands the user should have access to:

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net,
/sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

What this defines is the command alias "NETWORKING" and the commands allowed within the alias.
This means that if we allow a user access to this alias within the configuration below, they
will be able to execute all of the commands defined in the alias.

This can be further broken up by creating "sub-aliases" for instance, if you want the user to
have access to every command listed except /sbin/ifconfig you would create sub-alias called
Cmnd_Alias NETWORKING2 = /sbin/ifconfig and remove it from the NETWORKING alias and not give
them access to the NETWORKING2 alias below in the configuration.
############################################################################################

Defaults:
Certain configuration options may be changed from their default values at runtime via one or
more Default_Entry lines. These may affect all users on any host, all users on a specific host,
a specific user, or commands being run as a specific user.

Below is the default list of defaults in the sudoers file:

# requires the user be logged into an actual tty
Defaults    requiretty

# something very useful to add in is a log file of all sudo commands issued by
# all sudo users, times etc. this is very useful for tracking down troublemakers.

Defaults logfile=/var/log/sudo_users_log

# a few other useful features might be the following "Defaults" flags:
# passwd_tries=N (limits the number of password attempts by a sudo user)
# timestamp_timeout=0 (forces a user to use their password everytime sudo is envoked)
# timestamp_timeout=-1 (asks the user to verify their password once then forgets it,
# even if they logout)
# the default timeout is timestamp_timeout=5 (min) (you can change this value to whatever)
# note: Defaults flags should be comma separated if included on the same line. (see below)
# Example password timeout:

Defaults timestamp_timeout=6, always_set_home, log_year, mail_always, mail_badpass, tty_tickets
# forgets the users sudo password after 6 minutes, sets the sudo users home env, logs the year
in the sudoers log file (above), mails the default mailto user (root) on badd password attempt,
and forces the user to authenticate on each separate tty they're logged in on.

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"
#############################################################################################

This section defines what users/groups can run what commands on what machines since the sudoers
file can be shared between multiple hosts:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
warren  ALL=(ALL)       ALL

Typically, if your server has only a few users you may want to add yourself like this example
above. It gives you full root access to run any commands via sudo.
#############################################################################################

This section lets us give the group "sys" permission to run all the commands outlined in the
aliases we've setup above or that were setup by default for you:

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
%sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

Adding members with access to specific commands is best if you are not sure you trust your
sudo users. For instance, adding someone as shown in the example above: warren ALL=(ALL)  ALL
gives this person the ability to change the root password, dir/file attributes or otherwise
harm the system. This is not good, so we define what commands people are allowed to use based
on their role(s) on the system.
#############################################################################################

This section is much like the section above defining: root ALL=(ALL)   ALL
The difference here is that this is telling sudo to allow any member of the group "wheel"
to be allowed to run any command and act as root on the system.

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

note: I HIGHLY recommend AGAINST using the NOPASSWD argument. This is a bad idea from a
security standpoint.
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
#############################################################################################

The most common complaint from users is not being able to mount/unmount CDs/DVDs on their own
systems, this next section clears that up. note: the "users" group must exist on the system
and the users you want to give this access to must all be in that group. 

## Allows members of the users group to mount and unmount the
## cdrom as root
%users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
#############################################################################################

]$ whoami
warren

]$ sudo fdisk -l
Password:
sudo: fdisk: command not found

To get around this annoyance we must add this line into our ~/.bash_profile file:
PATH=$PATH:/usr/sbin:/sbin:$HOME/bin
(note: a logout and re-login may be required for this setting to take effect.)

[warren@dev ~]$ sudo fdisk -l
Password:

Disk /dev/sda: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14       24321   195254010   8e  Linux LVM