5.6. Authorizing per Host in sudo
Problem
You want to allow a user authorization privileges only on certain machines.
Solution
First, define a list of machines:
/etc/sudoers:
Host_Alias SAFE_HOSTS = avocado, banana, cherry
Let smith run a program as jones on these machines:
smith SAFE_HOSTS = (jones) /usr/local/bin/mycommand
Let smith run all programs as jones on these machines:
smith SAFE_HOSTS = (jones) ALL
As an alternative, you can define a netgroup, in the /etc/netgroup file:
safe-hosts (avocado,-,-) (banana,-,-) (cherry,-,-)
Then use the netgroup in the /etc/sudoers file, with the “+” prefix:
Host_Alias SAFE_HOSTS = +safe-hosts
You can also use the netgroup in place of the host alias:
smith +safe_hosts = (jones) ALL
Discussion
This recipe assumes you have centralized your sudo configuration: the same sudoers file on all your computers. If not, you could grant per-machine privileges by installing a different sudoers file on each machine.
Netgroups can be useful for centralization if they are implemented as a shared NIS database. In that case, you can update the machines in netgroups without changing your /etc/sudoers files.
The host alias is optional but helpful for organizing your sudoers file, so you needn’t retype the set of hostnames repeatedly.
As another example, you could let users administer their own machines but not others:
/etc/sudoers:
bob bobs_machine = ALL
gert gerts_machine = ALL
ernie ernies_machine = ALL
(Though this is perhaps pointless infrastructure, since
ALL
would permit ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.