build:sudo
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
build:sudo [2005/08/24 00:24] 10.42.69.100 created |
build:sudo [2011/05/21 12:16] (current) SLUUG Administration [Configuration] Don't allow software installation without a password. (CMB) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== sudo ====== | ====== sudo ====== | ||
| - | The ''sudo'' command allows a user to run a command as root (or some other user). It has several benefits over ''su''. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment. | + | The ''sudo'' command allows a user to run a command as root (or some other user). It has several benefits over ''su'' -- especially in logging. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment. |
| ===== Installation ===== | ===== Installation ===== | ||
| Install sudo: | Install sudo: | ||
| - | # apt-get install sudo | + | <code rootshell> |
| + | apt-get install sudo | ||
| + | </code> | ||
| ===== Configuration ===== | ===== Configuration ===== | ||
| - | Add a group named wheel, with a GID of 99: | + | Add a group named wheel, with a GID of 99 (NOTE: CentOS already has a wheel group by default): |
| - | groupadd -g 99 wheel | + | <code rootshell> |
| + | groupadd -g 99 wheel | ||
| + | </code> | ||
| - | TODO: Add any admin users to the wheel group. (vigr seems to be the easiest way.) | + | Add any admin users to the ''wheel'' group. You can use the ''vigr'' command, or ''adduser //username// //groupname//''. |
| + | <code rootshell> | ||
| + | for USER in root lvl booch mk jmuse donls gary blac gfstut; do | ||
| + | usermod -a -G wheel $USER | ||
| + | done | ||
| + | </code> | ||
| | | ||
| - | Edit /etc/sudoers (have to do it by running visudo) to look like this: | + | Edit ''/etc/sudoers'' (have to do it by running ''visudo'') to look like this: |
| - | root ALL=(ALL) ALL | + | <file> |
| - | %wheel ALL=NOPASSWD: ALL | + | # Require root password (instead of the user's own password). |
| - | www-data ALL=NOPASSWD: /etc/pcx-firewall/frontend/scripts/install | + | Defaults rootpw |
| - | TODO: Remove the NOPASSWORD: and replace it with (ALL) in a month or so to require passwords. The www-data line is just to document what we'd previously done. | + | # Reset all environment variables, except the ones we explicitly list. |
| + | Defaults env_reset | ||
| + | Defaults env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \ | ||
| + | LS_COLORS COLORS INPUTRC TZ \ | ||
| + | LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ | ||
| + | LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ | ||
| + | LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS" | ||
| + | |||
| + | # Set $HOME to the target user's home directory. Allows mysql clients to find $HOME/.my.cnf config file automatically. | ||
| + | Defaults always_set_home | ||
| + | |||
| + | # Define aliases to simplify later declarations. Note that these pertain to Debian and Red Hat variants. | ||
| + | #Cmnd_Alias SOFTWARE_INSTALL = /usr/bin/apt-get install *, \ | ||
| + | # /usr/bin/yum install *, /bin/rpm -i *, \ | ||
| + | # /usr/local/bin/gem install * | ||
| + | Cmnd_Alias SOFTWARE_UPDATE = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \ | ||
| + | /usr/bin/yum update | ||
| + | |||
| + | # Root can run anything as anyone. | ||
| + | root ALL=(ALL) ALL | ||
| + | |||
| + | # These users may run anything, if they supply the root password. | ||
| + | %wheel ALL = ALL | ||
| + | |||
| + | # These users may run these commands without having to supply a password. | ||
| + | %wheel ALL = NOPASSWD: SOFTWARE_UPDATE | ||
| + | </file> | ||
| ===== Security ===== | ===== Security ===== | ||
| Line 26: | Line 61: | ||
| Allowing ''sudo'' with no password should be limited as much as possible. | Allowing ''sudo'' with no password should be limited as much as possible. | ||
| - | Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like vi, unless you give them access to ALL commands. | + | Note that users in the ''sudo'' group can use ''sudo'' without a password -- DON'T DO THIS! |
| - | ===== TODO ===== | + | Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like ''vi'', unless you give them access to ALL commands. |
| - | Add some limited commands for some users. For example, the editor should be able to check the mail queues. The list manager should be able to run the list management scripts. | + | ===== TODO ===== |
| - | Should we have used the existing sudo group (27) instead of adding a wheel group? How about staff (50)? | + | Consider adding some more limited commands for some users. For example, the editor should be able to check the mail queues. The list manager should be able to run the list management scripts. |
| - | Consider Startup, Security, Testing, and Logging issues. Also, who gets credit for installation? | + | Document how logging works. |
build/sudo.1124861057.txt.gz · Last modified: 2006/10/26 00:54 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
