The sudo component manages the sudo configuracion, I.E: edits
/etc/sudoers. It doesn't provide as strict and nice syntax and
semantic correction as visudo(8) does, but it tries to warn on most
common users' mistakes.
BASIC COMPONENT STRUCTURE
On top, it provides the following fields:
It is a list of
structure_sudo_defaultselements. It sets default behaviour either for users or hosts, or for the whole sudo application. This structure will be explained later.
Named lists of lists of strings containing the alias information. The name of each named list must start with a letter, and contain only letters, numbers and underscores. All the letters must be capitals. I.E: the name must match
They can be preceeded by an '!', indicating the alias must not match that name. The contents may be preceeded by an '!', indicating that item must not be part of the alias.
The contents of host aliases can be either host names, IP addresses or network specifications (IP/netmask).
A valid example:
"/software/components/sudo/user_aliases" = nlist ("FOO", list ("bar", "%wheel", "!root"));
A list of structures of the type
structure_privilege_line, each one specifying a way for a normal user to elevate its privileges.
GENERAL OPTIONS STRUCTURE
structure_sudo_default defines the possible default behaviour
an user may find when running sudo. These settings are applied
globally, just to a host, just to an user, or just to a supplanted
The user the settings apply to.
The host the settings apply to.
The supplanted user the settings apply to.
The named list of options that can be specified. Currently, only atomic options are supported. Boolean, integer and string values are handled correctly.
For a given setting, at most one of
must be set. It is a compile error to set two or more of these.
For instance, this is valid:
"/software/components/sudo/sudo/general_options" = list ( nlist ("user", "foo", "options", nlist ("insults", true, "mailerpath", "/sbin/sendmail") ); );
But this is NOT:
"/software/components/sudo/sudo/general_options" = list ( nlist ("user", "foo", "host", "localhost" ### Error: only one of user and host! "options", nlist ("insults", true) ); );
The list of
structure_sudo_default_options lists the possible
settings and their expected type. See sudoers(5) for a full list and
THE PRIVILEGE SCALATION SPECIFICATION
Each privilege line in a sudoers has the following format:
user host = (run_as_user) OPTIONS: command
And, as such, the type
structure privilege_line has the following fields:
The user allowed to run
sudo <command>. Can be an user, an user_alias, or a group (with a leading
The user to be supplanted. Can be an user, a run_as_alias or a group (with a leading
The host from where the user can invoke sudo. Can be a host or a host_alias.
If present, it must be either
The command to be executed.
Remember that the built-in alias ALL is valid for users, run_as users, hosts and commands.
INCLUDING OTHER FILES
The sudoers file allows to include other configuration files, to keep
the configurations simpler. The
includes field allows to specify a
list of files that should be included.
Try the following settings:
"/software/components/sudo/general_options" = nlist ("options", nlist ("insults", true)); "/software/components/sudo/user_aliases" = nlist ("FOO", list ("127.0.0.1")); "/software/components/sudo/privilege_lines" = list (nlist ( "user", "foo", "run_as", "ALL", "host", "ALL", "cmd", "ALL" ));
and see the resulting
This component cannot perform such as exhaustive analysis as visudo does. Be careful with what you specify on your profiles or you will break sudo!!