summaryrefslogtreecommitdiffstats
path: root/sudoers/examples/sudoers_example_1
blob: c1709b0b8254dc0351dab1e19bc6dcb6404402e6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.
# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com

# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane

# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom

# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su
Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now

# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Defaults:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
# global defaults - log to a specific file.
Defaults logfile=/var/log/sudo.log, log_year=on

# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
# user/%group hostname = (user) command
# by default, root can do all commands as all users
root ALL=(ALL) ALL
# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)
jake,jim LOCAL = NOPASSWD: /sbin/service crond restart
# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.
MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT
# members of the group "wheel" can run, on all hosts, all commands as all users
%wheel ALL=(ALL) ALL
generated by cgit (git 2.34.1) at 2024-09-22 21:51:27 +0000