By default, Unix operating systems define two types of user roles: base-users and admins. Sudo entitlements allow admins to take advantage of the much more granular permissions levels available from Linux systems, which enable base-users to use certain sudo commands without granting them the level of control that admins hold. Sudo entitlements offer Advanced Server Access admins a system of layered permissions, which allow admins to specify the exact commands that their users can run.
Types of sudo entitlements
There are three types of sudo entitlements:
- raw - This type of sudo entitlement allows users to execute only the exact command as defined by the admin when creating the sudo entitlement. The admin can provide any input as the command to be used. Users can't modify the command in any way.
- directory - This type of sudo entitlement allows users to execute any command within the directory defined by the admin when creating the sudo entitlement. This may be any legal UNIX directory that's defined by a string that begins and ends with a / character, including the root directory defined by /.
- executable - This type of sudo entitlement allows users to run the executable defined by the admin when creating the sudo entitlement. The admin can choose whether this command will accept any arguments, no arguments, or specific arguments. This command must be a legal UNIX path defined by a string that begins with a / character.
Sudo entitlement rules
Sudo entitlements follow these rules:
- Only Advanced Server Access administrators can create sudo entitlements.
- Each entitlement consists of at least one command.
- Raw and directory sudo entitlements don't allow additional arguments to be specified.
- Sudo entitlement commands must specify the full directory path of the binary to be executed.
- Sudo entitlement names can contain any alphanumeric character except spaces.
- Sudo entitlement descriptions may contain any combination of alphanumeric characters.