Using sudo to Delegate Privileges
By default, Cumulus Linux has two user accounts: root and cumulus. The cumulus account is a normal user and is in the group sudo.
You can add more user accounts as needed. Like the cumulus account,
these accounts must use sudo to execute privileged commands.
sudo Basics
sudo allows you to execute a command as superuser or another user as
specified by the security policy. See man sudo(8) for details.
The default security policy is sudoers, which is configured using
/etc/sudoers. Use /etc/sudoers.d/ to add to the default sudoers
policy. See man sudoers(5) for details.
Use visudo only to edit the sudoers file; do not use another editor
like vi or emacs. See man visudo(8) for details.
When creating a new file in /etc/sudoers.d, use visudo -f. This
option performs sanity checks before writing the file to avoid errors
that prevent sudo from working.
Errors in the sudoers file can result in losing the ability to elevate
privileges to root. You can fix this issue only by power cycling the
switch and booting into single user mode. Before modifying sudoers,
enable the root user by setting a password for the root user.
By default, users in the sudo group can use sudo to execute
privileged commands. To add users to the sudo group, use the
useradd(8) or usermod(8) command. To see which users belong to the
sudo group, see /etc/group (man group(5)).
Any command can be run as sudo, including su. A password is
required.
The example below shows how to use sudo as a non-privileged user
cumulus to bring up an interface:
cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff
cumulus@switch:~$ ip link set dev swp1 up
RTNETLINK answers: Operation not permitted
cumulus@switch:~$ sudo ip link set dev swp1 up
Password:
cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff
sudoers Examples
The following examples show how you grant as few privileges as necessary to a user or group of users to allow them to perform the required task. For each example, the system group noc is used; groups are prefixed with an %.
When executed by an unprivileged user, the example commands below must
be prefixed with sudo.
Category |
Privilege |
Example Command |
sudoers Entry |
|---|---|---|---|
Monitoring |
Switch port info |
|
|
Monitoring |
System diagnostics |
|
|
Monitoring |
Routing diagnostics |
|
|
Image management |
Install images |
|
|
Package management |
Any apt-get command |
|
|
Package management |
Just apt-get update |
|
|
Package management |
Install packages |
|
|
Package management |
Upgrading |
|
|
Netfilter |
Install ACL policies |
|
|
Netfilter |
List iptables rules |
|
|
L1 + 2 features |
Any LLDP command |
|
|
L1 + 2 features |
Just show neighbors |
|
|
Interfaces |
Modify any interface |
|
|
Interfaces |
Up any interface |
|
|
Interfaces |
Down any interface |
|
|
Interfaces |
Up/down only swp2 |
|
|
Interfaces |
Any IP address chg |
|
|
Interfaces |
Only set IP address |
|
|
Ethernet bridging |
Any bridge command |
|
|
Ethernet bridging |
Add bridges and ints |
|
|
Spanning tree |
Set STP properties |
|
|
Troubleshooting |
Restart switchd |
|
|
Troubleshooting |
Restart any service |
|
|
Troubleshooting |
Packet capture |
|
|
L3 |
Add static routes |
|
|
L3 |
Delete static routes |
|
|
L3 |
Any static route chg |
|
|
L3 |
Any iproute command |
|
|
L3 |
Non-modal OSPF |
|
|