Creating command groups in /etc/sudoers can make managing user privileges easier and smarter. Credit: Marcus Buchwald When managing your /etc/sudoers files, it’s a good idea to organize user privileges in ways that make them easier to manage over the long haul and to assign permissions based on the roles that users play in your organization. One very useful way to do that is to group related commands together — such as all commands related to running backups or managing web sites — and assign them to the individuals or groups that require these privileges. Setting up command groups in /etc/sudoers To create a command group, you use what is called a Cmnd_Alias in your /etc/sudoers file and give the new command group a meaningful name. Here are some examples. Note that full pathnames should be specified for all of the commands included in a group. Otherwise, you are likely to see an error like this when you try to exit visudo. And remember to only edit /etc/sudoers with the visudo command to allow it to warn you in ways like this and prevent errors. >>> /etc/sudoers: syntax error near line 60 Command aliases like these might prove useful. Here, we’re grouping kill, password and shell commands together in three separate groups. Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/pkill, /usr/bin/killall Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /bin/bash, /bin/dash, /usr/bin/rsh, /bin/rbash, /bin/static-sh Anyone given access to any of these three command groups would then be able to run the associated commands using sudo (e.g., sudo kill 1234). The format for defining command aliases is fairly simple. Use to continue a definition to the next line. Another very useful command group is one that you can use to keep users from running commands that might allow them to break free from restrictions you might want to impose. If someone can run visudo or vi as root, for example, they can change the /etc/sudoers file to change their and other users’ privileges. Cmnd_Alias RESTRICTED=/usr/sbin/vipw, /bin/vi /etc/sudoers, /bin/su - root, /bin/su -, /usr/sbin/visudo You can apply these restrictions by configuring users or groups to not have access in lines like these that ensure that users cannot run these commands using sudo: jdoe ALL = (ALL)ALL, !RESTRICTED TECHSUPP ALL = ALL, !RESTRICTED It's easy to trip over all the ALLs that you are likely to encounter in sudoers files. A quick what's what may be in order here. When you see something like ALL ALL=(ALL) ALL in a line in the /etc/sudoers file, here's what the ALLs mean: The first ALL represents the users allowed to run the command (this can be an individual or group) The second ALL represents the hosts The third ALL is the target (who you are when running the command) The last ALL is the group of commands allowed Any of the ALLs can be replaced with specifics as in the commands above that specify jdoe and TECHSUPP in the first position. The structure for defining command groups is fairly simple: Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/pkill ^ ^ ^ | | | keyword name included commands Command groups allow you to provide related sets of sudo privileges to specific groups or individuals — such as tech support folks who need to change users’ passwords and sysadmins who need to be able to kill processes or reboot systems — without having to give them the ability to run all commands as root. Assigning command groups Once command groups have been established, you can assign them to individuals. Descriptive comments in your /etc/sudoers file will help ensure that anyone else who might edit the sudoers file can easily understand what was intended. # bob can change passwords and manage account password settings on all systems bob ALL = VIPW You can also use command groups to deny users the ability to run a group of commands using sudo. # jen can run commands on all servers except those in the security group jen ALL, !SECURITY = ALL You can also restrict the use of a command group to a specific system. # jdoe needs to be able to kill processes on the code management system jdoe pluto = KILL The second of the three command group assignments above requires that the SECURITY group of servers is also defined in the /etc/sudoers file. It might look like this: Host_Alias SECURITY = mercury, venus, mars You can also define users in groups and assign privileges by user group. User_Alias WEBMASTERS = slee, willy, liam Disallowing access As you can see from some of the examples above, an exclamation point in front of an item negates the access. For example, !SECURITY means any systems except those in the security group. In a similar manner, ! in front of a command means the command cannot be used with sudo. # maryk may change passwords for anyone but root maryk /usr/bin/passwd [A-z]*, !/usr/bin/passwd root Defining other aliases You can group commands, systems or users together with commands like those shown below. command groups: Cmnd_Alias HALT = /usr/sbin/halt system groups: Host_Alias SECURITY = mercury, venus, mars user groups: %group = group defined in /etc/group such as %sudo or %admin User_Alias = group defined within the /etc/sudoers file User_Alias SYSADMINS = shs, jdoe, paul privilege groups: %wheel ALL = (ALL) ALL The /etc/sudoers file on a newly installed systems generally has very little content. You can have groups with only one member. While this might seem of extra work for little or no benefit, it makes for better organization overall because the consistent format will make the file easier to maintain as users are added and removed. Wrap up A well-organized /etc/sudoers file can make doling out system privileges easier and smarter. And here's a helpful tip on using the sudo command with ssh. The best strategy for using ssh is to play around with your sudoers settings on a development system until you feel comfortable with its syntax and can keep the /etc/sudoers file organized in such a way that it's easy to read and update. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe