Sudo Rights

Use this group policy to centrally control which users can run commands as another user and the specific commands that can be run as that user. This policy configures the sudoers file with the appropriate lines when a user who has this policy applied logs on. When the user logs off, the lines applied for the user are removed and the sudoers file is restored to its previous state.

Note:   In order to work properly, the Sudo Rights group policy requires that the sudo package, including visudo and the sudoers file, is installed on the Centrify-managed computer.

When you select Enabled or Disabled for the Sudo Rights group policy, you can then add or remove user names and commands.

You add items to the text box just as you would to the sudoers file; that is, you type entries as you want them to appear in the sudoers file.

Note:   It is important to use the proper syntax for entries in the sudoers file. If the syntax isn’t valid, the sudo command interprets the sudoers file as corrupt and no users are allowed to run commands using sudo rights. Therefore, in addition to the Explain tab, which describes the sudoers grammar in Extended Backus-Nauer Format (EBNF), this policy provides several other ways to help you enter and verify the correct syntax for your entries:

  • The Sample tab shows sample sudoers file entries.
  • A right click menu provides templates for inserting alias entries, as well as the ability to browse for users.
  • Validation code verifies that there are no syntax errors in your entries before writing the entries to the sudoers file.

For example, the following procedure shows you how to create a command alias (for the rm command) and how to permit a user to simulate running as root to run the /usr/sbin/backup command:

  1. In the Group Policy Editor, open the Sudo Rights policy properties and select Enabled or Disabled. Right-click and select Insert Alias > Cmnd. The following text is inserted in the box:
    Cmnd_Alias <alias>=<command>
  2. Replace <alias> with DEL and <command> with the full path to the rm command:

    Cmnd_Alias DEL=/bin/rm
  3. Click Apply to enter the command alias and verify that the syntax is correct.

  4. On the next line, enter the following:

    jsmith ALL = /usr/bin/backup 

    This entry gives jsmith all privilege on the Linux, UNIX, or Mac OS X computer to run the backup command. The user, jsmith, still needs to enter a password to run this command. You can use the context menu to change the entry and remove the password requirement.

  5. After the ‘=’ sign, insert a space, then right-click and select Insert Value > Cmnd > NOPASSWD: and NOPASSWD: is added to the entry.

    The entry now should now look like this:

    jsmith ALL = NOPASSWD /usr/bin/backup 
  6. Click Apply or OK to save the entry.

When a user to whom this policy applies logs in, the appropriate lines are added to the sudoers file. For example, when the user jsmith logs on to the computer machine1, the following is added to the sudoers file:

jsmith ALL = NOPASSWD /usr/bin/backup
Cmnd_Alias DEL=/bin/rm

If any of your entries have improper syntax, you will see an error message. Click Details to get information about the syntax error, then click Cancel and make corrections.

Note:   The right-click context menu also allows you to browse for user names. Right-click and select Insert Value > Browse, then enter search criteria. Select a name and click OK, and that name is added to the entry. In addition, as you add aliases, they are added to the context menu. For example, if you right-click and select Insert Value > Cmnd, you should see the DEL alias that you created in the previous procedure.

For more information about using sudo and the syntax to use in the sudoers file, see the man pages for sudo and sudoers appropriate to your operating environment.