====== sudo ======
The ''sudo'' command allows a user to run a command as root (or some other user). It has several benefits over ''su'' -- especially in logging. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment.
===== Installation =====
Install sudo:
apt-get install sudo
===== Configuration =====
Add a group named wheel, with a GID of 99 (NOTE: CentOS already has a wheel group by default):
groupadd -g 99 wheel
Add any admin users to the ''wheel'' group. You can use the ''vigr'' command, or ''adduser //username// //groupname//''.
for USER in root lvl booch mk jmuse donls gary blac gfstut; do
usermod -a -G wheel $USER
done
Edit ''/etc/sudoers'' (have to do it by running ''visudo'') to look like this:
# Require root password (instead of the user's own password).
Defaults rootpw
# Reset all environment variables, except the ones we explicitly list.
Defaults env_reset
Defaults env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \
LS_COLORS COLORS INPUTRC TZ \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS"
# Set $HOME to the target user's home directory. Allows mysql clients to find $HOME/.my.cnf config file automatically.
Defaults always_set_home
# Define aliases to simplify later declarations. Note that these pertain to Debian and Red Hat variants.
#Cmnd_Alias SOFTWARE_INSTALL = /usr/bin/apt-get install *, \
# /usr/bin/yum install *, /bin/rpm -i *, \
# /usr/local/bin/gem install *
Cmnd_Alias SOFTWARE_UPDATE = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
/usr/bin/yum update
# Root can run anything as anyone.
root ALL=(ALL) ALL
# These users may run anything, if they supply the root password.
%wheel ALL = ALL
# These users may run these commands without having to supply a password.
%wheel ALL = NOPASSWD: SOFTWARE_UPDATE
===== Security =====
Allowing ''sudo'' with no password should be limited as much as possible.
Note that users in the ''sudo'' group can use ''sudo'' without a password -- DON'T DO THIS!
Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like ''vi'', unless you give them access to ALL commands.
===== TODO =====
Consider adding some more limited commands for some users. For example, the editor should be able to check the mail queues. The list manager should be able to run the list management scripts.
Document how logging works.