DESCRIPTION
The sudo component manages the sudo configuracion, I.E: edits
/etc/sudoers
. It doesn't provide as strict and nice syntax and
semantic correction as visudo(8) does, but it tries to warn on most
common users' mistakes.
BASIC COMPONENT STRUCTURE
On top, it provides the following fields:
-
/software/components/sudo/general_options
: optionalIt is a list of
structure_sudo_defaults
elements. It sets default behaviour either for users or hosts, or for the whole sudo application. This structure will be explained later. -
/software/components/sudo/<user|run_as|host|cmd>_aliases
: optionalNamed lists of lists of strings containing the alias information. The name of each named list must start with a letter, and contain only letters, numbers and underscores. All the letters must be capitals. I.E: the name must match
^[A-Z][A-Z0-9_]*$
.They can be preceeded by an '!', indicating the alias must not match that name. The contents may be preceeded by an '!', indicating that item must not be part of the alias.
The contents of host aliases can be either host names, IP addresses or network specifications (IP/netmask).
A valid example:
"/software/components/sudo/user_aliases" = nlist ("FOO", list ("bar", "%wheel", "!root"));
-
/software/components/sudo/privilege_lines
: mandatoryA list of structures of the type
structure_privilege_line
, each one specifying a way for a normal user to elevate its privileges.
GENERAL OPTIONS STRUCTURE
The structure_sudo_default
defines the possible default behaviour
an user may find when running sudo. These settings are applied
globally, just to a host, just to an user, or just to a supplanted
user.
-
/software/components/sudo/general_options/[n]/user
: optionalThe user the settings apply to.
-
/software/components/sudo/general_options/[n]/host
: optionalThe host the settings apply to.
-
/software/components/sudo/general_options/[n]/run_as
: optionalThe supplanted user the settings apply to.
-
/software/components/sudo/general_options/[n]/options
: optionalThe named list of options that can be specified. Currently, only atomic options are supported. Boolean, integer and string values are handled correctly.
For a given setting, at most one of user
, host
or run_as
must be set. It is a compile error to set two or more of these.
For instance, this is valid:
"/software/components/sudo/sudo/general_options" =
list (
nlist ("user", "foo",
"options", nlist ("insults", true, "mailerpath", "/sbin/sendmail")
);
);
But this is NOT:
"/software/components/sudo/sudo/general_options" =
list (
nlist ("user", "foo",
"host", "localhost" ### Error: only one of user and host!
"options", nlist ("insults", true)
);
);
The list of options
The structure structure_sudo_default_options
lists the possible
settings and their expected type. See sudoers(5) for a full list and
description.
THE PRIVILEGE SCALATION SPECIFICATION
Each privilege line in a sudoers has the following format:
user host = (run_as_user) OPTIONS: command
And, as such, the type structure privilege_line
has the following fields:
-
/software/components/sudo/privilege_lines/[n]/user
: mandatoryThe user allowed to run
sudo <command>
. Can be an user, an user_alias, or a group (with a leading%
). -
/software/components/sudo/privilege_lines/[n]/run_as
: mandatoryThe user to be supplanted. Can be an user, a run_as_alias or a group (with a leading
%
). -
/software/components/sudo/privilege_lines/[n]/host
: mandatoryThe host from where the user can invoke sudo. Can be a host or a host_alias.
-
/software/components/sudo/privilege_lines/[n]/options
: optionalIf present, it must be either
PASSWD
orNOPASSWD
. -
/software/components/sudo/privilege_lines/[n]/cmd
: mandatoryThe command to be executed.
Remember that the built-in alias ALL is valid for users, run_as users, hosts and commands.
INCLUDING OTHER FILES
The sudoers file allows to include other configuration files, to keep
the configurations simpler. The includes
field allows to specify a
list of files that should be included.
EXAMPLES
Try the following settings:
"/software/components/sudo/general_options" =
nlist ("options", nlist ("insults", true));
"/software/components/sudo/user_aliases" =
nlist ("FOO", list ("127.0.0.1"));
"/software/components/sudo/privilege_lines" =
list (nlist (
"user", "foo",
"run_as", "ALL",
"host", "ALL",
"cmd", "ALL"
));
and see the resulting /etc/sudoers
.
WARNINGS
This component cannot perform such as exhaustive analysis as visudo does. Be careful with what you specify on your profiles or you will break sudo!!