# [sudo] localhost not recognized?



## fonz (Jan 7, 2010)

Howdy,

I'm trying to allow certain users to shutdown the local system. The users have been added to a group called _shutdown_ and the idea is to allow users who are a member of that group to use /sbin/shutdown.

When I add the following line to /usr/local/etc/sudoers it doesn't work:

```
%shutdown [red]localhost[/red]=/sbin/shutdown
```

But if instead I write

```
%shutdown [red]ALL[/red]=/sbin/shutdown
```
it does work.

Am I doing something wrong or is there a reason why _localhost_ doesn't work?

Alphons


----------



## crsd (Jan 7, 2010)

http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-01/msg01081.html

HTH


----------



## phoenix (Jan 7, 2010)

Simpler method is to just add those users to the *operators* group, which gives them permission to run *shutdown* without needing sudo.


----------



## fonz (Jan 7, 2010)

phoenix said:
			
		

> Simpler method is to just add those users to the *operators* group, which gives them permission to run *shutdown* without needing sudo.



That is correct. However, I have more such constructions planned than just shutdown(8) alone, that's why I chose this particular method.

Anyway, if I do it the security/sudo way I guess I'll just have to use _ALL_ instead of _localhost_, which I can live with. I was just wondering why _localhost_ isn't working (@crsd: thanks for the link!).

Alphons


----------



## SirDice (Jan 7, 2010)

Localhost doesn't make much sense from a sudoers perspective. If anything that part will contain a hostname. This is mainly used if you distribute the same sudoers file to multiple hosts. Localhost would mean you're allowed to use that command on every machine since localhost always refers to the machine you're on. You might as well use ALL.

NB Be very, very careful with sudo! Allowing certain commands could really bite you. A simple example would be this:

```
dice ALL=vi /usr/local/etc/some.conf
```
Looks pretty benign doesn't it? But it does allow me access to a root shell. Just `$ sudo vi /usr/local/etc/some.conf` and once in vi, ESC :!/bin/sh
Similarly less can also be abused in this manner as it allows shell commands.


----------



## fonz (Jan 7, 2010)

SirDice said:
			
		

> NB Be very, very careful with sudo! Allowing certain commands could really bite you.
> [snip]
> Looks pretty benign doesn't it? But it does allow me access to a root shell.



Hehe, I was aware of that, but thanks anyway for the warning :beergrin It's a good point!

Alphons


----------

