DEV Community

Cover image for 🫆SUDO AND ACL: Basics
SAHIL
SAHIL

Posted on

🫆SUDO AND ACL: Basics

👉The sudo (superuser do) command is a crucial tool in Unix-like operating systems that allows a permitted user to execute a command as another user, typically the superuser (root).
It's primarily used to perform administrative tasks without having to log in as root directly, which enhances security.

💡Why sudo is Used:

  • Using sudo is a security best practice. Instead of sharing the root password or having multiple users logged in as root, sudo grants specific users temporary, command-specific privileges. This reduces the risk of accidental system damage or malicious activity, as it limits the scope of a user's elevated permissions. Additionally, sudo logs all commands executed, providing an audit trail.

sudo Syntax and Basic Usage
The basic syntax for sudo is straightforward:

sudo [options] command
Enter fullscreen mode Exit fullscreen mode

For example, to update a package list on a Debian-based system, you would run:

sudo apt update

👉When you first use sudo in a session, you'll be prompted for your own password, not the root password. This confirms your identity.

🕯Important Files Associated with sudo:

The core of sudo's configuration lies in the /etc/sudoers file. This file determines who can run what commands, and as which user.

/etc/sudoers: This file contains the rules for sudo. It should never be edited with a standard text editor. Use the visudo command to edit it. This command locks the file, checks for syntax errors, and prevents you from breaking your system with a typo.

🛡The basic format of a line in /etc/sudoers is:

user host=(runas_user) command
Enter fullscreen mode Exit fullscreen mode
  • user: The username or group (prefixed with %) that is granted permission.
  • host: The hostname on which the rule applies. ALL is a common value.
  • runas_user: The user the command will be run as. ALL is often used.
  • command: The command(s) the user is allowed to run. ALL grants permission to run any command. /etc/sudoers.d/: This directory allows for the creation of separate files for specific users or groups, which makes managing permissions easier and more modular. It’s the preferred way to add new sudo rules.

Smart Concepts: Aliases
👉sudo aliases simplify the management of complex rules. They allow you to group users, commands, or hosts and reference them with a single name.

  • User Aliases (User_Alias): Group users together.
    User_Alias ADMINS = alice, bob

  • Command Aliases (Cmnd_Alias): Group commands together.
    Cmnd_Alias PKG_MGMT = /usr/bin/apt, /usr/bin/dpkg

  • Host Aliases (Host_Alias): Group hosts together.
    Host_Alias SERVERS = server1, server2

  • You can then use these aliases in your rules:
    ADMINS ALL=(ALL) PKG_MGMT

    This grants all users in the ADMINS alias permission to run any command in the PKG_MGMT alias on any host.

Access Control Lists (ACL):
Access Control Lists (ACLs) are a more granular method of managing file and directory permissions than the traditional Unix permissions (owner, group, other).

Why ACLs are Used:

  • Traditional Unix permissions are limited. For example, you can't grant read access to one specific user while denying it to others in the same group. ACLs solve this by allowing you to define permissions for multiple users and groups on a single file or directory, providing much finer control. How ACLs Work: ACLs extend the standard rwx permissions. They introduce additional entries for specific users and groups.

Core Commands:

  • getfacl [file/directory]: Displays the ACL entries for a file or directory.
  • setfacl [options] [file/directory]: Sets or modifies the ACL entries.

Key setfacl Options:

-m: Modify the ACL.

-x: Remove an entry.

-b: Remove all extended ACL entries.

-d: Set default permissions for a directory.

Example Usage:

To grant read and write permission to a user named jane on a file report.txt:

setfacl -m u:jane:rw report.txt

To set default read and write permissions for a group named marketing on a directory projects so that new files and subdirectories inherit these permissions:

setfacl -m d:g:marketing:rwX projects

👉The X permission is a special flag for directories; it grants execute permissions only if the file is a directory or if a user or group already has execute permissions. This is useful for preventing the execute bit from being set on new files, while ensuring it is set for new subdirectories.

Top comments (0)