DISCLAIMER : Please note that blog owner takes no responsibility of any kind for any type of data loss or damage by trying any of the command/method mentioned in this blog. You may use the commands/method/scripts on your own responsibility.If you find something useful, a comment would be appreciated to let other viewers also know that the solution/method work(ed) for you.


SUDO in UNIX

Sudo is a standard way to give users some administrative rights without giving out the root
password. Sudo is very useful in a multi user environment with a mix of server and
workstations. Simply call the command with sudo:

# sudo /etc/init.d/dhcpd restart                                   # Run the rc script as root
# sudo -u sysadmin whoami                                       # Run cmd as an other user

 Configuration :

Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is
(the lists are comma separated):

user hosts = (runas) commands                                   # In /etc/sudoers
users one or more users or %group (like %wheel) to gain the rights
hosts list of hosts (or ALL)
runas list of users (or ALL) that the command rule can be run as. It is enclosed in ( )!
commands list of commands (or ALL) that will be run as root or as (runas)
Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias,
Runas_Alias and Cmnd_Alias. This is useful for larger setups.

Here a sudoers example:

# cat /etc/sudoers

# Host aliases are subnets or hostnames.
Host_Alias DMZ = 212.118.81.40/28
Host_Alias DESKTOP = work1, work2

# User aliases are a list of users which can have the same rights

User_Alias ADMINS = colin, luca, admin
User_Alias DEVEL = joe, jack, julia
Runas_Alias DBA = oracle,pgsql

# Command aliases define the full path of a list of commands
Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/
Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root           # Not root pwd!
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap

# The actual rules
root,ADMINS ALL = (ALL) NOPASSWD: ALL             # ADMINS can do anything w/o a password.
DEVEL DESKTOP = (ALL) NOPASSWD: ALL             # Developers have full right on desktops
DEVEL DMZ = (ALL) NOPASSWD: DEBUG                 # Developers can debug the DMZ servers.

# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL            # Can do anything outside the DMZ.
%dba ALL = (DBA) ALL # Group dba can run as database user.
# anyone can mount/unmount a cd-rom on the desktop machines
ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom

Do you like this story?

No comments:

Post a Comment