Skip to Main Content
Linux Security Cookbook
book

Linux Security Cookbook

by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
June 2003
Intermediate to advanced content levelIntermediate to advanced
336 pages
8h 54m
English
O'Reilly Media, Inc.
Content preview from Linux Security Cookbook

5.6. Authorizing per Host in sudo

Problem

You want to allow a user authorization privileges only on certain machines.

Solution

First, define a list of machines:

               /etc/sudoers:
Host_Alias  SAFE_HOSTS = avocado, banana, cherry

Let smith run a program as jones on these machines:

smith  SAFE_HOSTS = (jones) /usr/local/bin/mycommand

Let smith run all programs as jones on these machines:

smith  SAFE_HOSTS = (jones) ALL

As an alternative, you can define a netgroup, in the /etc/netgroup file:

safe-hosts (avocado,-,-) (banana,-,-) (cherry,-,-)

Then use the netgroup in the /etc/sudoers file, with the “+” prefix:

Host_Alias  SAFE_HOSTS = +safe-hosts

You can also use the netgroup in place of the host alias:

smith  +safe_hosts = (jones) ALL

Discussion

This recipe assumes you have centralized your sudo configuration: the same sudoers file on all your computers. If not, you could grant per-machine privileges by installing a different sudoers file on each machine.

Netgroups can be useful for centralization if they are implemented as a shared NIS database. In that case, you can update the machines in netgroups without changing your /etc/sudoers files.

The host alias is optional but helpful for organizing your sudoers file, so you needn’t retype the set of hostnames repeatedly.

As another example, you could let users administer their own machines but not others:

               /etc/sudoers:
bob bobs_machine = ALL
gert gerts_machine = ALL
ernie ernies_machine = ALL

(Though this is perhaps pointless infrastructure, since ALL would permit ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Linux Administration Cookbook

Linux Administration Cookbook

Adam K. Dean

Publisher Resources

ISBN: 0596003919Errata Page