SUDO

  Sudo is a standard way to give users some administrative rights without giving out the root
  password. Sudo is very useful in a multi user environment with a mix of server and
  workstations. Simply call the command with sudo:
# sudo /etc/init.d/dhcpd restart            # Run the rc script as root
# sudo -u sysadmin whoami                   # Run cmd as an other user

Configuration

  Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is
  (the lists are comma separated):
user hosts = (runas) commands          # In /etc/sudoers
    * users one or more users or %group (like %wheel) to gain the rights
    * hosts list of hosts (or ALL)
    * runas list of users (or ALL) that the command rule can be run as. It is enclosed in (
      )!
    * commands list of commands (or ALL) that will be run as root or as (runas)

  Additionally those keywords can be defined as alias, they are called User_Alias,
  Host_Alias, Runas_Alias and Cmnd_Alias. This is useful for larger setups. Here a sudoers
  example:
# cat /etc/sudoers
# Host aliases are subnets or hostnames.
Host_Alias   DMZ     = 212.118.81.40/28
Host_Alias   DESKTOP = work1, work2

# User aliases are a list of users which can have the same rights
User_Alias   ADMINS  = colin, luca, admin
User_Alias   DEVEL   = joe, jack, julia
Runas_Alias  DBA     = oracle,pgsql

# Command aliases define the full path of a list of commands
Cmnd_Alias   SYSTEM  = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/
Cmnd_Alias   PW      = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!
Cmnd_Alias   DEBUG   = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap

# The actual rules
root,ADMINS  ALL     = (ALL) NOPASSWD: ALL    # ADMINS can do anything w/o a password.
DEVEL        DESKTOP = (ALL) NOPASSWD: ALL    # Developers have full right on desktops
DEVEL        DMZ     = (ALL) NOPASSWD: DEBUG  # Developers can debug the DMZ servers.

# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin     DMZ     = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin     ALL,!DMZ = (ALL) NOPASSWD: ALL   # Can do anything outside the DMZ.
%dba         ALL     = (DBA) ALL              # Group dba can run as database user.

# anyone can mount/unmount a cd-rom on the desktop machines
ALL          DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom