This blog has moved! Redirecting...
You should be automatically redirected. If not, visit http://scrolls.mafgani.net/ and update your bookmarks.

Friday, October 28, 2005

Using sudo - for the layman

Are you tired of becoming the root user just to perform updates? Well, you don't have to. Using sudo, you can perform all those restricted tasks without having to be the super user.

To do this, one has to edit the sudoers file.

The configuration of sudo is in /etc/sudoers. sudo is a setuid binary. Since sudo is owned by root, your effective id becomes root.

To edit the sudoers file, log on as root and change to /etc and:


[root@localhost etc]# visudo


This prevents multiple users from editing the same file at the same time because that would make things rather messy, don't you think?

Anyway, if you want to give yourself full permission to perform root tasks, edit the file as follows:


...
# User privilege specification
root ALL=(ALL) ALL
zubin ALL=(ALL)
...


Note that doing this does not give "zubin" root's PATH. If I want to run lpc, I'd have to do:


[zubin@localhost ~]$ sudo /usr/sbin/lpc


In this case, I'd have to provide my own login password to get sudo to work. sudo remembers the password for 5 minutes by default.

Now, if we modify the file like this:


...
# Defaults specification
Defaults:zubin timestamp_timeout=0, runaspw, passwd_tries=1
...


This means that the password will not be remembered. Setting it to -1 means that it will never be forgotten. The "runaspw" means that the user needs to have root's password to run sudo. "passwd_tries=1" means that zubin only gets one shot at getting the password correct. In general, many users can be added, each having a different default. If there is no ":" after Defaults, it is assumed to be global.

If we simply don't want to enter any password, then we'd have to do this:


# User privilege specification
root ALL=(ALL) ALL
zubin ALL=(ALL) NOPASSWD: ALL


sudo logs authentication failures to syslog by default. But if we change the file as shown, we can track every command run:


...
# Defaults specification
Defaults:logfile=/var/log/sudolog
...


The user can also only be given specific commands:



...
zubin ALL= /bin/kill,/sbin/linuxconf, /usr/sbin/zubin/
...


The "ALL" above refers to a network-wide sudo. In general, the particular machine name can be specified.

To give zubin the power to kill users "user1" and "user2"'s processes, we could do:


...
zubin localhost=(user1,user2) /bin/kill, /usr/sbin/zubin/
...


But then, zubin would have to do this every time:

[zubin@localhost etc]$ sudo -u user1


To avoid, this, we simply add this to the defaults section:


Defaults:zubin timestamp_timeout=-1, runas_default=user1

0 Comments:

Post a Comment

<< Home