[mdlug] /etc/sudoers -A rant and an attempt at better documentation

[Carl T. Miller]

Raymond McLaughlin wrote:
> It may be that I'm just dense, but I find the man page 'man sudoers' to
> be the most insanely, obscenely incomprehensible excuse for
> documentation that I can recall ever encountering. I don't want to sound
> ungrateful to the programmers who wrote this, no doubt excellent
> program, but the man page is a quintessential example of documentation
> written by programmers for the benefit of people who already know the
> answers.

Agreed.  I only use sudo where I need to.

Ray, let me share some notes I've kept and see if they help you.
They are rather sparse, but they may be easier to intuit than
the man page.

c


The typical syntax is: WHO  WHERE=(runas) WHAT

WHO is a username or group list
WHERE is a hostname or IP address
runas is an optional list of suids available to users
WHAT is a list of commands with or without parameters

The ! wildcard means not.  The * wildcard means 0 or more of
any character.  The ? wildcard means exactly 1 character.
[] contains a character list which must match.  A [] whose
first item is ! means the following characters must be excluded.

An example to let 2 users mount cdrom without needing root's password:
user1,user2  ALL=NOPASSWD: /bin/mount cdrom, /bin/umount cdrom

An example to let one user run programs as another user:
user1  ALL=(user2) ALL

An example to let a user run as root any command but su (this is
good to getting logging of activities):
user1  ALL=ALL, !/sbin/su

An example to let another user run any command including su, but
not with parameters or to become root (this is good if you want
to log activities and still give access to su):
user2  ALL=ALL, !/sbin/su [!-]*, !/sbin/su *root*

An example creating 3 aliases for Back Up procedures:
User_Alias BUUSERS=user1, user2
Cmnd_Alias BUCMD=/sbin/dump, /sbin/restore
Runas_Alias BURUNAS=operator,archive,restore
BUUSERS  ALL=(BURUNAS) BUCMD