[Media] 8.04 Servers - Wikipedia & Sudoers, oh my!

Steve Lamb grey at dmiyu.org
Sun Oct 19 13:26:58 UTC 2008

Knapp wrote:
> Is sudoer a language? From it's own help file.


> EBNF is a concise and exact way of describing the grammar of a
> language. Each EBNF definition is made up of production rules. E.g.,

    That it is.  But all that it describes is not a language.  EBNF is used to
described headers in email but I hardly think one would call email headers a
programming language.

> What is an, "m"?


>  Host ::= '!'* hostname |
>           '!'* ip_addr |
>           '!'* network(/netmask)? |
>           '!'* '+'netgroup |
>           '!'* Host_Alias
> You can filter on host, does SSH not show up as a different host? 

    Host is the machine sudo is running on.  It is not meant to be where the
user is coming from.  The reason you can have different hosts defined in a
single file is so you can create a single configuration file which applies to
all machines within a logical group.  For example if your office has 3
administrators that have full sudo access and a dozen accountants with limited
sudo access while in another office they would have normal rights a single
file can address that by defining on which machines those people have access.

> Also you can filter based on terminal. Also this:
> "requiretty
>     If set, sudo will only run when the user is logged in to a real
> tty. This will disallow things like "rsh somehost sudo ls" since
> rsh(1) does not allocate a tty. Because it is not possible to turn off
> echo when there is no tty present, some sites may wish to set this
> flag to prevent a user from entering a visible password. This flag is
> off by default."

    Yes, those are methods of access but are confined to the context of the
local machine.

> All this might do it, but I am not sure how.

    Actually, you're right.  requiretty would require the user to be at the
console (tty1-7) as opposed to remote ttys.  Actually that would be defined
in, uhm... /etc/securetty?  Well, maybe.  Depends on how sudo defines "real
tty".  To me that traditionally means listed in /etc/securetty.

More information about the ubuntu-users mailing list