Using "sudoers" for better sudo management

What is sudoers?

Adding users to the sudo (or wheel) group grants them broad administrative privileges, sometimes unnecessary privileges. By using the sudoers file, located in /etc/sudoers, we can implement precise control over what each user can do with sudo.

It’s is a configuration file for the sudo command on Unix-like operating systems. This file dictates which users or groups can escalate privilege and execute commands as the superuser or another user.

Why use sudoers file?

1. Security - It limits the commands users can execute, reducing the risk of malicious changes. This is important when running remote CI/CD jobs, as it restricts command execution to only what the pipeline actually requires.

2. Accountability - It can logs all sudo commands, so we can track who executed what commands via sudo and when. You can even log specific user/group’s usage of sudo.

3. Flexibility -Specifying which commands can be run by which users or groups, and under what circumstances as we are going to see below.

4. Convenience - It can grant temporary elevated privileges without needing to share the root password.

How to configure the sudoers file

To edit the sudoers file, you can manually edit /etc/sudoersbut it’s better to use the visudo command, which opens the file in the default text editor while checking for syntax errors before saving.

Here’s a basic guide on configuring it:

sudo visudo

username ALL=(ALL:ALL) ALL

%groupname ALL=(ALL:ALL) ALL

username ALL=(ALL) /bin/cp

Understanding the sudoers file syntax

The line username ALL=(ALL:ALL) ALL in the sudoers file is a syntax used to define permissions for a user or group and what command is associated with them. It translate to:

USER/HOSTNAME=(USER:GROUP) COMMAND(s)

So, username ALL=(ALL:ALL) ALL means the user can execute any command as any user and group on any host. The following is an example of setting limited privilege escalation for a user “foo” on a host called webserver to only use sudo for only working with apt package manager and moving files

foo webserver=(foo:developers) /usr/bin/apt, /usr/bin/mv

Using aliases

You can use aliases for commands and reference them in different places in your files using the CmndAlias sudoers syntax:

# You can use comments!!
# Put all commands in an alias
Cmnd_Alias FILE_OPERATIONS = /usr/bin/tar, /usr/bin/mv, /bin/rm

# Allow user to use commands via sudo
gitlab-runner webserver=(ALL:ALL) FILE_OPERATIONS

Organize privilege escalation in the sudoers.d directory

For better organization and to keep the main sudoers file clean, you can use the /etc/sudoers.d/ directory. This directory allows you to create individual configuration files for different users or groups.

sudo touch /etc/sudoers.d/username

sudo visudo -f /etc/sudoers.d/username

username ALL=(ALL:ALL) ALL

@includedir /etc/sudoers.d

Log sudo commands for users

We can log users in/out commands when using sudo :

# Note that we're using `%` to reference a group name
%developers    ALL=(ALL) LOG_INPUT: LOG_OUTPUT: ALL

In the main sudoers file, you can specify the default file for the log. You can also store specific log files for certain users

Defaults    iolog_dir=/var/log/sudo-io/%{user}

Allow sudo without using password

Add the NOPASSWD directive. The no-password might be handy when running commands via non interactive shells like CI/CD jobs

%gitlab-runner    ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL