ПІДТРИМАЙ УКРАЇНУ ПІДТРИМАТИ АРМІЮ
Uk Uk
Пошук
  1. Домашня
  2. IT
  3. A simple guide for configuring sudo and doas

A simple guide for configuring sudo and doas

by Mr. IT-man 25 December 2023 25
A simple guide for configuring sudo and doas

When doing work on an Unix system,it's advised to use as little privileges as posible,so as to avoid...

When doing work on an Unix system,it's advised to use as little privileges as posible,so as to avoid the risk of breaking anything by accident.But when you need to make any singificant changes to the system,like installing/updating packages or changing critical configs,that is a situation when having the right permissions is crucial.

In most cases this is done using sudo or doas ,where sudo is preconfigured for distros like Ubuntu,Fedora,etc.If you're using a more Do-It-Yourself system like Arch or FreeBSD,that may not be the case.But fear not,since I can help you with configuring either of them in this post,with examples.

Wheel group

Often in this post,you'll see me mention the wheel group. This is a special group that is used with these tools ,for easily adding or removing access to these commands. 

To see what groups your user is in run this command:

groups username

replacing username with the name of your user.The command should give you a list of groups your user is part of.If you see the wheel group there,you can continue.Otherwise run the following command as the root user:

usermod -a -G wheel username

Replace username with your username.

FreeBSD users should use the following command:

pw groupmod wheel -m username

where username is the name of your user.

If you are using sudo you may also want to add your user to the sudo group, which is done by replacing the wheel in the prevoius commands with sudo .

Sudo

sudo used to be the short form for superuser do but now it is called in the official project page as substitute user do ,because it's used to run commands as a different user than the one you are currently logged in.Most of the time,however, it is used to access the super user or root (hence the original name).

Acording to wikipedia , the tool had its early origins around 1980, and was developed by Robert Coggeshall and Cliff Spencer at the Department of Computer Science at SUNY/Buffalo.

Sudo is ubiquitous in most Linux distros,and there's a good chance it's already installed and configured for your system.If not, this guide is for you.

Installation

First you'll want to ensure sudo is installed in the first place.To do that run this command:

sudo -V

This should show information about the current install of sudo.If the command runs succesfully,you can skip to configuration,otherwise we need to install it manually.This is done by running one of the following commands (depending on your distribution),logged in as the root user:

  • Ubuntu/Debian: apt install sudo
  • Arch: pacman -S sudo
  • OpenSUSE: zypper install sudo
  • RHEL/Fedora: dnf install sudo
  • Void Linux: xbps-install sudo
  • FreeBSD: pkg install sudo

Configuration using the sudoers file

There are two main ways to configure sudo.The first one is using the sudoers file.It is located at /etc/sudoers for Linux,and /usr/local/etc/sudoers for FreeBSD respectively.The paths are different,but the configuration works in the same way.

A typical sudoers file 


## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
 
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3
 
##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef
 
##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#                           /usr/bin/pkill, /usr/bin/top
#
# Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
#
# Cmnd_Alias    DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \
#                           /usr/bin/truss, /usr/bin/bpftrace, \
#                           /usr/bin/dtrace, /usr/bin/dtruss
#
# Cmnd_Alias    PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \
#                        /usr/bin/yum, /usr/bin/dnf,  /usr/bin/zypper, \
#                        /usr/bin/pacman
 
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to restore the historic behavior where a command is run in
## the user's own terminal.
# Defaults !use_pty
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
##
## Uncomment to disable intercept and log_subcmds for debuggers and
## tracers.  Otherwise, anything that uses ptrace(2) will be unable
## to run under sudo if intercept_type is set to "trace".
# Defaults!DEBUGGERS !intercept, !log_subcmds
##
## Uncomment to disable intercept and log_subcmds for package managers.
## Some package scripts run a huge number of commands, which is made
## slower by these options and also can clutter up the logs.
# Defaults!PKGMAN !intercept, !log_subcmds
 
##
## Runas alias specification
##
 
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL
 
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL
 
## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL
 
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
 
## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

The sudoers file must be edited with the visudo command,which ensures the config is free of errors.Running this command as the root user will result in opening vi by default.If you want to use a different editor you can set the VISUAL environment varaible to the editor you want.

For example,if you want to use micro as the text editor run:

VISUAL=micro visudo

or you can run export VISUAL=micro before running visudo .

There are lots of things we can configure inside the sudoers file,but for this post we'll focus on giving users access to the sudo command.The basic syntax is the following:

User Host=(RunAs) Command

where User is the user this applies to, Host is the host this applies to, RunAs is the taarget user and Command is the Commands that can be used.

Most of the time,you'll use this:

username ALL=(ALL) ALL

This gives username (replace with the target user) access to all users, and all commands. Aditionally you can add NOPASSWD: before the last argument to allow the user to run sudo without having to type the password every time (THIS IS VERY DANGEROUS,DON'T DO THIS).

You can also replace the username with the name of a group preceeded by % to have the same effect over all of the users of the group.In fact,the default config contains lines which can be uncommented to give all users from the wheel and sudo groups access to the sudo command.

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL

Configuration using the sudoers.d directory

Another way to configure sudo is using the sudoers.d directory.This is one way to separate the configuration.

The directory is located at /etc/sudoers.d/ for Linux and /usr/local/etc/sudoers.d/ for FreeBSD respectively.Here you can create multiple files,each with different configurations.

First ensure this line is in your sudoers file:

  • Linux- @includedir /etc/sudoers.d
  • FreeBSD- @includedir /usr/local/etc/sudoers.d

Next,you may create as many configs as you need ,using any editor you like ,related to many users or groups.For example:

echo "username ALL=(ALL) ALL" >> /etc/sudoers.d/username

is the simplest way to give username access to sudo.You don't have to name it the same as the user,but it's good to keep things organised.

Doas

Doas was created by Ted Unangst for OpenBSD,as a simpler and safer alternative to sudo . doas is not configured by default on most distros,but configuring it is much easier than sudo.

Installation

To check if doas is installed run

doas -s

which should drop you in a root shell.If the command is not installed,use one of the following to install it:

  • Ubuntu/Debian: apt install doas
  • Arch: pacman -S opendoas
  • OpenSUSE: zypper install doas
  • RHEL/Fedora: dnf install opendoas
  • Void Linux: xbps-install opendoas
  • FreeBSD: pkg install doas

Configuration

The default config is located at /etc/doas.conf for Linux and /usr/local/etc/doas.conf for FreeBSD.Unlike sudo ,this file is not created when you install doas ,and without it the command is useless.So we need to create it,and populate it with appropriate rules.

After creating the file,we need to ensure it has the correct permissions.For Linux:

chown -c root:root /etc/doas.conf
chmod -c 0400 /etc/doas.conf

and for FreeBSD:

chown -c root:root /usr/local/etc/doas.conf
chmod -c 0400 /usr/local/etc/doas.conf

Aditionally,ensure the config file ends with a newline.

The basic structure for giving access to the doas command is as follows:

permit|deny [options] identity [as target] [cmd command [args ...]]

where identity is the target user, target (if specified) is the user identity can run commands as and command are the commands the user is allowed to use.If command is ommited,the user can run any commands.

You can also add various options after permit/deny for various functions.Here are the more commonly used ones:

  • keepenv : keep environment variables
  • nopass : use doas without a password (BAD IDEA!).
  • persist : don't prompt the user to type the password again after some time ( potentially unsafe )

For example:

permit persist keepenv : username

allows username (replace with your username) to run any commands using doas.

You may also want to allow users of the wheel group to run doas, which is acheived using:

permit persist keepenv : wheel

Once you're done with editing your config,you need to make sure the config does not have any syntax errors,that may prevent doas from running properly.You can do this by running the following command as the root user:

doas -C /etc/doas.conf && echo "config ok" || echo "config error"

(change /etc/doas.conf for /usr/local/etc/doas.conf for FreeBSD)

Environment variables

Keep in mind that doas does not retain all the environment variables that sudo does. Notably, XAUTHORITY , LANG and LC_ALL are omitted, which makes using X11 harder. So it's good to use this line to fix that:

permit setenv { XAUTHORITY LANG LC_ALL } :wheel

Aditionally,because doas was developed for OpenBSD,it also retains some of its quirks,like how user-installed executables are stored in /usr/local/bin ,in contrast to /usr/bin where Linux stores them. As a result,doas can have problems on Linux so the following workaround can be used:

permit setenv :wheel

Note that you don't need to do this workaround on FreeBSD or OpenBSD.

Combining the two lines we get:

permit persist setenv :wheel
Теги #linux #freebsd #sudo #doas
Ресурс : dev.to

Вам також може сподобатися

Sharing UI Components: Copy VS Install
R

Sharing UI Components: Copy VS Install

IT 29 October 2024
Important React Tips for Writing Cleaner, Efficient Code for Beginners
R

Important React Tips for Writing Cleaner, Efficient Code for Beginners

IT 29 October 2024
Scroll to Top