Recipe 5.6 Authorizing per Host in sudo

5.6.1 Problem

You want to allow a user authorization privileges only on certain machines.

5.6.2 Solution

First, define a list of machines:

Host_Alias  SAFE_HOSTS = avocado, banana, cherry

Let smith run a program as jones on these machines:

smith  SAFE_HOSTS = (jones) /usr/local/bin/mycommand

Let smith run all programs as jones on these machines:

smith  SAFE_HOSTS = (jones) ALL

As an alternative, you can define a netgroup, in the /etc/netgroup file:

safe-hosts (avocado,-,-) (banana,-,-) (cherry,-,-)

Then use the netgroup in the /etc/sudoers file, with the "+" prefix:

Host_Alias  SAFE_HOSTS = +safe-hosts

You can also use the netgroup in place of the host alias:

smith  +safe_hosts = (jones) ALL

5.6.3 Discussion

This recipe assumes you have centralized your sudo configuration: the same sudoers file on all your computers. If not, you could grant per-machine privileges by installing a different sudoers file on each machine.

Netgroups can be useful for centralization if they are implemented as a shared NIS database. In that case, you can update the machines in netgroups without changing your /etc/sudoers files.

The host alias is optional but helpful for organizing your sudoers file, so you needn't retype the set of hostnames repeatedly.

As another example, you could let users administer their own machines but not others:

bob bobs_machine = ALL
gert gerts_machine = ALL
ernie ernies_machine = ALL

(Though this is perhaps pointless infrastructure, since ALL would permit these people to modify their /etc/sudoers file and their root password.)

5.6.4 See Also

sudo(8), sudoers(5).

    Chapter 9. Testing and Monitoring