В началоUnix Toolbox → 8. SUDO
Gentoo-doc HOME Пред.: 7. RSYNCВ началоУровень выше: Unix ToolboxСлед.: 9. ENCRYPT FILES

8. 8. SUDO

Sudo is a standard way to give users some administrative rights without giving out the root password. Sudo is very useful in a multi user environment with a mix of server and

workstations. Simply call the command with sudo:

# sudo /etc/init.d/dhcpd restart # Run the rc script as root

# sudo -u sysadmin whoami # Run cmd as an other user

8.1. 8.1 Configuration

Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is

(the lists are comma separated):

user hosts = (runas) commands # In /etc/sudoers

users one or more users or %group (like %wheel) to gain the rights

hosts list of hosts (or ALL)

runas list of users (or ALL) that the command rule can be run as. It is enclosed in ( )!

commands list of commands (or ALL) that will be run as root or as (runas)

Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias. This is useful for larger setups. Here a sudoers example:

# cat /etc/sudoers

# Host aliases are subnets or hostnames.

Host_Alias DMZ = 212.118.81.40/28

User_Alias ADMINS = colin, luca, admin

User_Alias DEVEL = joe, jack, julia

Runas_Alias DBA = oracle,pgsql

# Command aliases define the full path of a list of commands

Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/

Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!

Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap

# The actual rules

root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a password.

DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops

DEVEL DMZ = (ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers.

# User sysadmin can mess around in the DMZ servers with some commands.

sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG

sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ.

%dba ALL = (DBA) ALL # Group dba can run as database user.

# anyone can mount/unmount a cd-rom on the desktop machines

ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom

Пред.: 7. RSYNCВ началоУровень выше: Unix ToolboxСлед.: 9. ENCRYPT FILES
В началоUnix Toolbox → 8. SUDO