Sunday, April 8, 2012

### Sudo Users ###

If a server needs to be administered by a number of people, it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.

The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands which they would not normally be able to due to file permission restrictions.

Configuraton:

Suppose we want two more admin users (Remil, shinto) with all previlleges of root user.

We'll make them sudo users.

Edit the /etc/sudoers and add those names as follows

we'll use the command visudo to edit the file /etc/sudoers
[root@vm1 ~]# visudo

root    ALL=(ALL)       ALL
remil   ALL=(ALL)       ALL
shinto  ALL=(ALL)       ALL

save the file.

Now loging as shinto and execute any command.

The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax.

[shinto@vm1 ~]$ sudo /sbin/service network restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: #When running the command with the sudo prefix,
you will be prompted for your regular password
before it is executed.
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[shinto@vm1 ~]$

NOTE: All commands run as sudo are logged in the log file /var/log/messages

If you dont want to prompt for the password, give the keyword NOPASSWD as below.

remil   ALL=(ALL)       NOPASSWD: ALL

[remil@vm1 ~]$ sudo /sbin/service network restart #see it didn't prompt for password
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[remil@vm1 ~]$


Suppose we want to give permission for only one command. For example, we are running a webserver and we want to give a group of admins permission only to stop and restart the service.

the configuration is as follows.

User_Alias WEBADMINS=ajith,vivek
Cmnd_Alias WEBADMINS_COMMANDS=/etc/init.d/httpd
WEBADMINS ALL=WEBADMINS_COMMANDS

Now loggin as ajith and checking:

[ajith@vm1 ~]$ sudo /etc/init.d/httpd start

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Starting httpd:                                            [  OK  ]
[ajith@vm1 ~]$

For groups:

If you are giving permissions for a group of users, you can give their username as follows:
%linux ALL=(ALL) NOPASSWD: ALL

we created a user rakesh with primary group linux. And gave all the users in linux all privilleges
of root user.

Checking the privilleges as user rakesh.
[rakesh@vm1 ~]$ sudo /sbin/service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]

[rakesh@vm1 ~]$ groups rakesh
rakesh : linux
[rakesh@vm1 ~]$

No comments:

Post a Comment