SUDO - Give selective super user powers to users or a group of users

Sudo is a program which can be used by normal users to execute programs as super user or any other user - provided they are given the rights to do so. Sudo access is controlled by /etc/sudoers . The users listed in /etc/sudoers file can execute commands with an effective user id of 0 and a group id of root's group. This file should be edited with visudo, an editor and syntax checker. /etc/sudoers file contains mappings of variables to reference groups of users, hosts, or commands. To give a specific group of users limited root privileges, edit the file with visudo as follows:

# visudo

In the user alias specification section, list users and groups allowed to use the sudo command:

#FILE: /etc/sudoers
User_Alias LIMITEDTRUST=user1,user2,group1

In the command alias specification section, list the commands specifically allowed or denied execution as root:

Cmnd_Alias PROGRAMS=/etc/rc.d/init.d/httpd,/sbin/shutdown -h now
Cmnd_Alias SHELLS=/bin/sh,/bin/bash

In the user privilege specification section, list the users and groups allowed to use sudo and the commands that they may use:

LIMITEDTRUST ALL=PROGRAMS

Which means, the users user1, user2 and members in the group group1 are allowed to use sudo only with the commands listed in PROGRAMS.

user3 ALL=ALL !SHELLS

User3 is allowed execution of all programs other than those listed under SHELLS.

%group2 station1=ALL !SHELLS

This decleration means that every member of the group2 group can use sudo with every command when they are logged into station1. The only commands they may not use are /bin/sh and /bin/bash.

Note: An administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo.

Update (18th Dec 2005): Also visit SUDO home page