[sudo] localhost not recognized?

Howdy,

I'm trying to allow certain users to shutdown the local system. The users have been added to a group called shutdown and the idea is to allow users who are a member of that group to use /sbin/shutdown.

When I add the following line to /usr/local/etc/sudoers it doesn't work:
Code:
%shutdown [red]localhost[/red]=/sbin/shutdown

But if instead I write
Code:
%shutdown [red]ALL[/red]=/sbin/shutdown
it does work.

Am I doing something wrong or is there a reason why localhost doesn't work?

Alphons
 
Simpler method is to just add those users to the operators group, which gives them permission to run shutdown without needing sudo.
 
phoenix said:
Simpler method is to just add those users to the operators group, which gives them permission to run shutdown without needing sudo.

That is correct. However, I have more such constructions planned than just shutdown(8) alone, that's why I chose this particular method.

Anyway, if I do it the security/sudo way I guess I'll just have to use ALL instead of localhost, which I can live with. I was just wondering why localhost isn't working (@crsd: thanks for the link!).

Alphons
 
Localhost doesn't make much sense from a sudoers perspective. If anything that part will contain a hostname. This is mainly used if you distribute the same sudoers file to multiple hosts. Localhost would mean you're allowed to use that command on every machine since localhost always refers to the machine you're on. You might as well use ALL.

NB Be very, very careful with sudo! Allowing certain commands could really bite you. A simple example would be this:
Code:
dice ALL=vi /usr/local/etc/some.conf
Looks pretty benign doesn't it? But it does allow me access to a root shell. Just $ sudo vi /usr/local/etc/some.conf and once in vi, ESC :!/bin/sh
Similarly less can also be abused in this manner as it allows shell commands.
 
SirDice said:
NB Be very, very careful with sudo! Allowing certain commands could really bite you.
[snip]
Looks pretty benign doesn't it? But it does allow me access to a root shell.

Hehe, I was aware of that, but thanks anyway for the warning :beergrin It's a good point!

Alphons
 
Back
Top