Allowing Limited Sudo Access With Visudo

If you’ve used your Debian Squeeze machine for more than a week you’ve probably run into the sudo command. Particularly if you’ve followed any of my previous tutorials you’ve used it. Sudo allows you to run superuser commands on your machine, without needing a complete superuser account.

Now what happens when you have another user on that machine that needs certain superuser privileges but you don’t want to give them FULL access? Well sudo can be configured to give users sudo access, but limited to only certain commands. Here is a breakdown:

If you use the command:

sudo visudo

you’ll be taken into the self checking sudoers editing file. What you’ll want to look for is near the bottom and appears similar to this:

# User privilege specification
root ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

What this is defining is who has what sudo or superuser privileges on that machine. By default, and in this case root has all power and anyone in the admin group (generally just the initial user) has this control.

Now consider you have a buddy, wife or partner that also uses that machine and needs occasional sudo access but you’d prefer not to give them complete permissions to avoid destroying the world as we know it. Well, you can list them in this file and create a limited list of sudo permissions that they will be granted. An example would be below:

# User privilege specification

root ALL=(ALL) ALL

mike ALL=(root) /usr/bin/aptitude, /usr/bin/apt-get

Let me break this down for you. By adding this new line to the file you’ve done the following:

The first listing, mike, is the user that is being assigned the privilege. For this to apply to a group of users on the machine you would prefix the name with a % as seen in the example above (%admin).

The second listing defines the hosts that these permissions apply to. For your use this will almost always apply to your local machine only so ALL is safe. If this does not apply to you (you will know who you are) you will want to define only the hosts to grant access).

Thirdly, the (root) entry defines what user the first user is applying the command as. In this example we want to run the command as root and not any other user. You can define this to another user (or user daemon) to allow access to their specific privileges.

Lastly we’ve got a comma separated list of commands that the user will have access to. In this case I’m allowing the user mike to add and remove programs from the machine using the apt-get and aptitude programs. Allowing users to add / remove programs from your machine as in this example can be dangerous. This is for example use and may not match your usage.

Sudo is our superhero friend while using Debian. It allows us to temporarily take on a different persona, make changes to the critical parts of the machine and quietly change back again. Allowing other users this privilege can be helpful but it can also be harmful so be sure you understand who you are applying privileges to and to what commands. Security is #1, or should be, so use this knowlege wisely.

extradrmtech

Since 20 years I work on Database Architecture and data migration protocols. I am also a consultant in Web content management solutions. I am an experienced web-developer with over 10 years developing PHP/MySQL, C#, VB.Net applications ranging from simple web sites to extensive web-based business applications. When not writing code, I like to dance salsa and swing and have fun with my little family.

You may also like...

Leave a Reply