Thursday, March 5, 2009

HowTo: Using sudo on FreeBSD

sudo is a great tool for granting specific privileges to users other that the root user. This application allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.

Today I'll detail the steps needed to install and configure sudo on FreeBSD from a desktop/workstation perspective, in other words I'll dwell more on less on the common user.

Let's start by install the application and then proceed to configure the sudoers file with visudo:
  1. % su
  2. # cd /usr/ports/security/sudo ; make install clean
  3. # visudo /usr/local/etc/sudoers

Uncomment the following line to allow users in the wheel group to run all commands:
%wheel ALL=(ALL) ALL
By enabing this line, users in wheel group will have full root privileges on the computer by providing their password in order to use administrative commands.

If you wish that users in the wheel to acquire these privileges without using a password then uncomment the next line instead:
%wheel ALL=(ALL) NOPASSWD: ALL
sudo can also be used to allow more restrictive usage, for instance to allow the user freebsduser to mount and unmount /cdrom the following line could be added to /usr/local/etc/sudoers:
freebsduser ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
To allow members of the users group shutdown the computer add the following to the sudoers file:
%users localhost=/sbin/shutdown -h now
Add the following line to let user freebsduser access all privileges without entering password:
freebsduser ALL=(ALL) NOPASSWD: ALL
After editing the sudoers file you'll need to issue a :w! command in visudo as the file is read-only. To use sudo just prefix sudo before the command with specific privileges. For the %wheel ALL=(ALL) ALL example, if you are in the wheel group and want to shutdown the computer you'd type:
# sudo shutdown -h now
And insert your passoword.

Once you enter a correct passwo
rd, sudo records the time and for the next 5 minutes it won't ask you for a password. After those 5 minutes you must re-authenticate. You can change the timeout value from 5 to another value by setting the password_timeout value in the /usr/local/etc/sudoers file).

Every use of sudo is logged in /var/log/messages, so do take a look and check for yourself.

I've only touched the tip of the iceberg on sudo so do take a look at its man page.

5 comments:

Stephan Wehner said...

Command to add an existing user ("userlogin") to the wheel group:

$ pw group mod wheel -m userlogin

(Run as root)

Stephan

tangram said...

And...?

I fail to see the relevance of your comment taking into account the the post's goal.

The post focus was on using sudo as an administrative tool instead of just blindly adding users to wheel.

Unknown said...

Very helpful article. It provided a lot of insight into setting up sudo, much more than the text book I'm currently reading. I was wondering why I was still getting prompted for the root account password after setting up sudo for a regular user account to view the /var/log/messages file. Turns out after uncommenting the following wheel line the regular user account can now view the file that has root level only access (/var/log/messages) without being promted for a password.

# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

Thanks for posting

creativesumant said...

Most systems have some way of letting ordinary users perform certain tasks as root or some other privileged user. SCO Open Server has "asroot" and can also directly assign "authorizations" such as backup privileges or being able to change other user's passwords. SCO Unixware/Open Unix 8 have a similar facility in "tfadmin".

Many other Unixes, and Linux, use "sudo".

The configuration of sudo is by the /etc/sudoers file. I'm sure that there are more poorly written man pages, but "man sudoers" is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn't all that bad though.

Recently I just came across a good article on "Linux"
Here is its link.

Will said...

Thank you. Very helpful!