Sudo Package

The sudo package configures basic rules for allowing unprivileged users (i.e. anyone but root/admin) to run commands as root or another user/group in the shell.

Once the sudo package is installed, it is located at System > sudo in the GUI.

Sudo Settings

The package allows multiple entries for privileges. To add a new entry, click fa-plus Add, and fill in the settings:

User/Group:

The user or group name to which this privilege is being granted.

The list includes users and groups defined in the GUI as well as those from the operating system (e.g. daemon users and groups added by packages).

Run As:

The user or group name under which the command will be run.

In most cases this is root, so that users may run commands as root without knowing the root/admin credentials.

No Password:

Controls whether or not the user is not prompted for their own password when executing commands using sudo.

This is unset by default, so users are prompted for their password when running sudo. sudo caches credentials in a login session for at least five minutes after each execution of sudo so that the user is not prompted on each attempt. Users can execute sudo without reauthenticating inside that time frame, but if they stop for five minutes they will be prompted again on the next run.

When set, the user is not prompted for their password when running sudo. This is less secure, but more convenient. If sudo is invoked non-interactively, such as from a cron script, this is required as there is no way for a user to enter their credentials.

Command List:

A list of commands the User/Group can run.

See also

More information on the full command options may be found in the sudoers manual.

By default the command is ALL meaning the user can run any commands. Leaving the commands field blank assumes ALL.

A comma-separated list of one or more commands can be supplied to limit the user to individual binaries. Full paths to commands are required by sudo to ensure the user is properly restricted to specific binaries or scripts.

If parameters are specified after a command, they will be required. To disallow running a command with parameters, add "" after the command.

Custom Configuration:

This option controls whether or not sudo will read additional configuration files from /usr/local/etc/sudoers.d.

Warning

Including custom configuration files allows options to be set which are not supported by the GUI, but these files can be a potential security risk and they are not included in backups.

The setting can be one of:

Do Not Include:

sudo will not include additional configuration files.

Include at Start:

sudo will include additional configuration files before the GUI settings.

Include at End:

sudo will include additional configuration files after the GUI settings.

Sudo Examples

Example 1

Allow bob to run ping commands only as root without a password:

User/Group:

User: bob

Run As:

User: root

No Password:

checked

Commands:

/sbin/ping

Example 2

Allow anyone in the admins group to run all commands as any user, but prompted for a password:

User/Group:

Group: admins

Run As:

User: ALL Users

No Password:

Unchecked

Commands:

ALL

Command Examples

These examples demonstrate how to specify commands in various ways.

  • Run ping with any parameters:

    /sbin/ping

  • Run ping only to 192.168.1.2:

    /sbin/ping 192.168.1.2

  • Run command blah without any parameters:

    /usr/local/bin/blah ""

  • Run ping and traceroute and their IPv6 variants with any parameters:

    /sbin/ping, /sbin/ping6, /usr/sbin/traceroute, /usr/sbin/traceroute6

Package Support

This package is currently supported by Netgate TAC to those with an active support subscription.