Helping ordinary people create extraordinary websites!

Using Sudo

By Tony Lawrence
2005-05-12

Limiting Commands
There's more that sudo does to protect tyou from malicious mischief. The :man sudo" pages cover that completely. Let's continue with our examples; it's time to limit "jim" to specific commands. There are two ways to do that. We can specifically list commands, or we can say that jim can only run commands in a certain directory. A combination of those methods is useful: 

jim     ALL=    /bin/kill,/sbin/linuxconf, /usr/sbin/jim/
The careful reader will note that there was a bit of a change here. The line used to read "jim ALL=(ALL) ALL", but now there's only one "ALL" left. Reading the man page can easily leave you quite confused as to what those three "ALL"'s meant. In the example above, ALL refers to machines- the assumption is that this is a network wide sudoers file. In the case of this machine (lnxserve) we could do this: 

jim     lnxserve=       /bin/kill, /usr/sbin/jim/
So what was the "(ALL)" for? Well, here;s a clue: 

jim     lnxserve=(paul,linda)   /bin/kill, /usr/sbin/jim/
That says that jim can (using "sudo -u ") run commands as paul or linda.

This is perfect for giving jim the power to kill paul or linda's processes without giving him anything else. There is one thing we need to add though: if we just left it like this, jim is forced to use "sudo -u paul" or "sudo -u linda" every time. We can add a default "runas_default": 

Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP", runas_default=linda
I hope that this introduction will get you started. Now that you have the basics, the man pages for sudo and sudoers should make more sense.



Tutorial pages:

© Copyright 2005 A.P. Lawrence
 1 Votes

You might also want to check these out:


Leave a Comment on "Using Sudo"
You must be logged in to post a comment.

Link to This Tutorial Page!
GET OUR NEWSLETTERS