The sudo
command allows a user to run a command as root (or some other user). It has several benefits over su
– especially in logging. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment.
Install sudo:
apt-get install sudo
Add a group named wheel, with a GID of 99 (NOTE: CentOS already has a wheel group by default):
groupadd -g 99 wheel
Add any admin users to the wheel
group. You can use the vigr
command, or adduser username groupname
.
for USER in root lvl booch mk jmuse donls gary blac gfstut; do usermod -a -G wheel $USER done
Edit /etc/sudoers
(have to do it by running visudo
) to look like this:
# Require root password (instead of the user's own password). Defaults rootpw # Reset all environment variables, except the ones we explicitly list. Defaults env_reset Defaults env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \ LS_COLORS COLORS INPUTRC TZ \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS" # Set $HOME to the target user's home directory. Allows mysql clients to find $HOME/.my.cnf config file automatically. Defaults always_set_home # Define aliases to simplify later declarations. Note that these pertain to Debian and Red Hat variants. #Cmnd_Alias SOFTWARE_INSTALL = /usr/bin/apt-get install *, \ # /usr/bin/yum install *, /bin/rpm -i *, \ # /usr/local/bin/gem install * Cmnd_Alias SOFTWARE_UPDATE = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \ /usr/bin/yum update # Root can run anything as anyone. root ALL=(ALL) ALL # These users may run anything, if they supply the root password. %wheel ALL = ALL # These users may run these commands without having to supply a password. %wheel ALL = NOPASSWD: SOFTWARE_UPDATE
Allowing sudo
with no password should be limited as much as possible.
Note that users in the sudo
group can use sudo
without a password – DON'T DO THIS!
Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like vi
, unless you give them access to ALL commands.
Consider adding some more limited commands for some users. For example, the editor should be able to check the mail queues. The list manager should be able to run the list management scripts.
Document how logging works.