Answer Posted / amsin21
The sudo command stands for "superuser do". If a server
needs to be administered by a number of people it is
normally not a good idea for them all to use the root
account. This is because it becomes difficult to determine
exactly who did what, when and where if everyone logs in
with the same credentials. The sudo utility was designed to
overcome this difficulty.
The sudo utility allows users defined in the /etc/sudoers
configuration file to have temporary access to run commands
they would not normally be able to due to file permission
restrictions. The commands can be run as user "root" or as
any other user defined in the /etc/sudoers configuration file.
The privileged command you want to run must first begin with
the word sudo followed by the command's regular syntax. When
running the command with the sudo prefix, you will be
prompted for your regular password before it is executed.
You may run other privileged commands using sudo within a
five-minute period without being re-prompted for a password.
All commands run as sudo are logged in the log file
/var/log/messages.
In order to use sudo we first need to configure the sudoers
file.
Do not edit directly the file:
To edit it, use the command
# visudo
******Output***************
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
**********************************************
You will see the line
root ALL=(ALL) ALL
This lines means that the user root can execute from ALL
terminals, acting as ALL (any) users, and run ALL (any) command.
The first part is the user, the second is the terminal from
where the user can use sudo, the third is as which user he
may act, and the last one, is which commands he may run.
Example:
Granting Access To Specific Users To Specific Files
---------------------------------------------------
amsin21, %operator ALL= /sbin/, /usr/sbin,
/usr/local/apps/check.pl
This entry allows user amsin21 and all the members of the
group operator to gain access to all the program files in
the /sbin and /usr/sbin directories, plus the privilege of
running the command /usr/local/apps/check.pl. Notice how the
trailing slash (/) is required to specify a directory location:
Granting Access to Specific Files as Another User
-------------------------------------------------
The sudo -u entry allows allows you to execute a command as
if you were another user, but first you have to be granted
this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes
need to kill processes related to projects they are working
on. For example, programmer amsin21 is on the team
developing a financial package that runs a program called
monthend as user accounts. From time to time the application
fails, requiring "amsin21" to stop it with the /bin/kill,
/usr/bin/kill or /usr/bin/pkill commands but only as user
"accounts". The sudoers entry would look like this:
amsin21 ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill
User amsin21 is allowed to stop the monthend process with
this command:
# sudo -u accounts pkill monthend
Granting Access Without Needing Passwords
-----------------------------------------
This example allows all users in the group operator to
execute all the commands in the /sbin directory without the
need for entering a password. This has the added advantage
of being more convenient to the user:
%operator ALL= NOPASSWD: /sbin/
Using Aliases in the sudoers File
---------------------------------
Sometimes you'll need to assign random groupings of users
from various departments very similar sets of privileges.
The sudoers file allows users to be grouped according to
function with the group and then being assigned a nickname
or alias which is used throughout the rest of the file.
Groupings of commands can also be assigned aliases too.
In the next example, users amsin21, amsin211 and amsin212
and all the users in the operator group are made part of the
user alias ADMINS. All the command shell programs are then
assigned to the command alias SHELLS. Users ADMINS are then
denied the option of running any SHELLS commands and su:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
/usr/bin/ksh, /usr/local/bin/tcsh, \
/usr/bin/rsh, /usr/local/bin/zsh
User_Alias ADMINS = amsin21, amsin211, amsin212, %operator
ADMINS ALL = !/usr/bin/su, !SHELLS
This attempts to ensure that users don't permanently su to
become root, or enter command shells that bypass sudo's
command logging. It doesn't prevent them from copying the
files to other locations to be run. The advantage of this is
that it helps to create an audit trail, but the restrictions
can be enforced only as part of the company's overall
security policy.
| Is This Answer Correct ? | 11 Yes | 1 No |
Post New Answer View All Answers
