• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

[sudo] localhost not recognized?

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#1
Howdy,

I'm trying to allow certain users to shutdown the local system. The users have been added to a group called shutdown and the idea is to allow users who are a member of that group to use /sbin/shutdown.

When I add the following line to /usr/local/etc/sudoers it doesn't work:
Code:
%shutdown [red]localhost[/red]=/sbin/shutdown
But if instead I write
Code:
%shutdown [red]ALL[/red]=/sbin/shutdown
it does work.

Am I doing something wrong or is there a reason why localhost doesn't work?

Alphons
 

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#4
phoenix said:
Simpler method is to just add those users to the operators group, which gives them permission to run shutdown without needing sudo.
That is correct. However, I have more such constructions planned than just shutdown(8) alone, that's why I chose this particular method.

Anyway, if I do it the security/sudo way I guess I'll just have to use ALL instead of localhost, which I can live with. I was just wondering why localhost isn't working (@crsd: thanks for the link!).

Alphons
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,496
Messages: 25,662

#5
Localhost doesn't make much sense from a sudoers perspective. If anything that part will contain a hostname. This is mainly used if you distribute the same sudoers file to multiple hosts. Localhost would mean you're allowed to use that command on every machine since localhost always refers to the machine you're on. You might as well use ALL.

NB Be very, very careful with sudo! Allowing certain commands could really bite you. A simple example would be this:
Code:
dice ALL=vi /usr/local/etc/some.conf
Looks pretty benign doesn't it? But it does allow me access to a root shell. Just $ sudo vi /usr/local/etc/some.conf and once in vi, ESC :!/bin/sh
Similarly less can also be abused in this manner as it allows shell commands.
 

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#6
SirDice said:
NB Be very, very careful with sudo! Allowing certain commands could really bite you.
[snip]
Looks pretty benign doesn't it? But it does allow me access to a root shell.
Hehe, I was aware of that, but thanks anyway for the warning :beergrin It's a good point!

Alphons