Sudoers examples

 

mary ALL=(ALL) NOEXEC: NOPASSWD: /bin/vi

This allows the user mary to run /bin/vi on all hosts (the first ALL) as all users (the second ALL), preventing shell escape (NOEXEC) and not requiring a password (NOPASSWD).

To determine whether or not sudo supports noexec in your environment, run the following as root.

sudo -V | grep "dummy exec"

If the output contains a line that begins with:

File containing dummy exec functions:

Then NOEXEC should work.

 

mary ALL=(ALL) NOEXEC: NOPASSWD: sudoedit /etc/hosts

This allows the user mary to run "sudo -e" (sudoedit) on all hosts (the first ALL) as all users (the second ALL), preventing shell escape (NOEXEC) and not requiring a password (NOPASSWD).

sudo -e allows the user to edit a file and is restricted to the file /etc/hosts in this case. So sudo -e /etc/hosts will work and sudo -e /etc/passwd won't.

 

Configure logging

To send logging information to /var/log/secure add the following line to /etc/sudoers

Defaults logfile=/var/log/secure

Contact Computers-it