|< Day Day Up >|
Recipe 8.21. Granting Limited Rootly Powers with sudo
You would like to delegate some system administration chores to other users, or set up an extra layer of safety for your own root chores—but you want to do it in a way that uses only limited rootly powers, and does not give away root's password.
Use sudo. sudo grants limited root powers to specific users for specific tasks, logs activity, and does not give away root's password.
Let's say that you have a user, jhaugh, upon whom you wish to bestow full rootly powers. Because sudo users use their own passwords, root's password is protected. Edit /etc/sudoers with visudo—it will open in your default text editor:
# visudo # sudoers file. # # This file MUST be edited with the 'visudo' # command as root. # See the man page for details on how to write # a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL
First, set up a host alias:
Host_Alias LOCALHOST= localhost
Under the "User privilege specification" line, you can add individual users:
jhaugh ALL=(ALL) ALL
This gives jhaugh root powers for everything on the system and on all connected machines. Now say you have another user, tgwynne, who needs root privileges only on the local machine. Add the following line for this user:
tgwynne LOCALHOST = ALL
Adding to your delegation of minions is msmith, who is allowed only to shut down the local machine:
msmith LOCALHOST = /sbin/shutdown, /sbin/halt
This grants groups of ordinary users shutdown privileges on their own machines:
# Host alias specification Host_Alias LOCALHOST= localhost # User alias specification User_Alias USERS = tgwynne, msmith, jhaugh, \ abyron, jwinters # Cmnd alias specification Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown, /usr/sbin/halt, \ /usr/sbin/reboot, /usr/sbin/poweroff # User privilege specification USERS LOCALHOST = SHUTDOWN
To execute a sudo command, users do this:
$ sudo /usr/sbin/halt
They will be prompted for their passwords, then the command will execute. Users can check which commands they are authorized for with the following command:
$ sudo -l User jhaugh may run the following commands on this host: (ALL) ALL
sudo logs all errors to the syslog, and tattles to root:
$ sudo /usr/sbin/halt carla is not in the sudoers file. This incident will be reported.
Groups of servers can be defined, and users can be given privileges to the groups:
# Host alias specification Host_Alias FILESERVERS = host1, host2, host3 # User alias specification User_Alias FILESERVADMINS = jhaugh, abyron, jwinters # Cmnd alias specification Cmnd_Alias FILEUTILS = /bin/chgrp, /bin/chmod, \ /bin/chown, /bin/cp, /bin/dd, /bin/df, \ /bin/dir, /bin/dircolors, /bin/du, /bin/install, \ /bin/ln, /bin/ls, /bin/mkdir, /bin/mkfifo, \ /bin/mknod,bin/mv, /bin/rm, /bin/rmdir, \ /bin/shred, /bin/touch, /bin/vdir sync # User privilege specification FILESERVADMIN FILESERVERS = FILEUTILS
sudo can also be used to let users execute scripts, such as backup scripts. Be very careful with scripts, or any command that gives shell access or invokes a text editor, because these may allow users to escalate their privileges. You can try to restrict sudo users to RJOE, which is a restricted editor that cannot invoke a shell, but it's better to be careful with how you delegate rootly chores in the first place.
8.21.4 See Also
|< Day Day Up >|