The sudo tool allows ordinary users to have limited root level administrative access for certain tasks. This allows users to perform specific superuser operations without allowing them full superuser status.
To use sudo to run a command, precede it with the sudo command:
sudo date
The first time a user issues a sudo command during a login session, they will be prompted to enter the administrative password.
The accounts capable of using sudo are specified in the /etc/sudoers file, which is edited with the visudo utility. This file lists users and the commands they can run, along with the password for access (unless the NOPASSWD option is set, then users will not need a password).
A /etc/sudoers entry has the format
user host=command
user | The name of the user being granted access |
host | A host on the network. For all hosts, use ALL. |
command | A list of one or more commands, qualified by options such as whether the password is required. For all commands, use ALL. |
So, for example, to give user paul full root-level access to all commands on all hosts:
paul ALL = ALL
To run as another user, instead of as root, place the alternative user in parentheses before the command. For example, to allow user paul to run as user ringo on the beatle host:
paul beatle = (ringo) ALL
The command may have an option associated with it. Possible options are:
NOPASSWD / PASSWD | Determines whether or not the user will require a password to run the command. |
NOEXEC / EXEC | If sudo has been compiled with noexec support, this determines whether or not an executable will be allowed to run further commands itself. |
SETENV / NOSETENV | Determines whether or not users are allowed to override environment variables with the sudo -e command. |
LOG_INPUT / NOLOG_INPUT | Determines whether or not the input to the command is written to the log file. |
LOG_OUTPUT / NOLOG_OUTPUT | Determines whether or not the output from the command is written to the log file. |
Therefore, to allow user paul to run the kill command on beatle with a password, but to run the lprm command without a password:
paul beatle = PASSWD: /usr/bin/kill, NOPASSWD: /usr/bin/lprm
A user can see what commands he or she can run by running:
sudo -l
No comments :
Post a Comment