Aliases: making your sudoers file manageable
The default sudoers file gives one group of users full control over your machine:
%wheel ALL=(ALL) ALL
Once it is not just you and your best friend administering a machine, you will start to give more fine-grained privileges to administrators. All fields in the above configuration line can be replaced by a list of values. A list of user names, a list of host names, a list of commands, and so on. Soon you will copy and paste these lists around in your sudoers file. It looks simple and manageable at first, but soon the sudoers file no longer fits on your screen. This is the time (well, actually a lot earlier) when you should turn to aliases.
Effectively, they are just named lists. Instead of listing all involved users for every different command, you can group users together in a list and give the list a name. You can then use that alias name instead of listing all the names each time. The same goes for host names and command names as well. It makes the sudoers file easier and less error-prone to manage.
First of all you need to create the aliases. For hosts you use the “Host_Alias” keyword, for commands it is “Cmnd_Alias”, and so on. Then you have to give the alias a name, which may consist of capital letters, numbers and underscores, but must start with a capital letter. In the example below we define the WEBSERVERS
, ADMINS
and REBOOT
aliases. Finally you must add a comma-separated list of items after the equal sign:
Host_Alias WEBSERVERS = www1, www2, www3
User_Alias ADMINS = smith, johnson, williams
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
ADMINS WEBSERVERS = REBOOT
On the last line you can see how the aliases can be used: simply replace the fields which would otherwise contain a user, host or command name with an alias name. In the example above we only use each alias once, but they can be reused as many times as is necessary.
Still not convinced? Consider the following scenario. You have to remove admin privileges from a colleague who is rather short-tempered. His name is listed 15 times in the sudoers file. You delete 14 of these, but leave one accidentally in a rule which provides access to dd. Restoring a system after /dev/sda
was rewritten from /dev/zero
on a large production system can be quite tiresome. Using aliases, you only have to remove the user name from a single place, making the process quicker and much less prone to error.
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.