Using Sudo
By Tony Lawrence2005-05-12
Limiting Commands
|
|
There's more that sudo does to protect tyou from malicious mischief. The :man sudo" pages cover that completely. Let's continue with our examples; it's time to limit "jim" to specific commands. There are two ways to do that. We can specifically list commands, or we can say that jim can only run commands in a certain directory. A combination of those methods is useful:
jim ALL= /bin/kill,/sbin/linuxconf, /usr/sbin/jim/The careful reader will note that there was a bit of a change here. The line used to read "jim ALL=(ALL) ALL", but now there's only one "ALL" left. Reading the man page can easily leave you quite confused as to what those three "ALL"'s meant. In the example above, ALL refers to machines- the assumption is that this is a network wide sudoers file. In the case of this machine (lnxserve) we could do this:
jim lnxserve= /bin/kill, /usr/sbin/jim/So what was the "(ALL)" for? Well, here;s a clue:
jim lnxserve=(paul,linda) /bin/kill, /usr/sbin/jim/That says that jim can (using "sudo -u ") run commands as paul or linda.
This is perfect for giving jim the power to kill paul or linda's processes without giving him anything else. There is one thing we need to add though: if we just left it like this, jim is forced to use "sudo -u paul" or "sudo -u linda" every time. We can add a default "runas_default":
Defaults:jim timestamp_timeout=-1, env_delete+="BOOP", runas_default=lindaI hope that this introduction will get you started. Now that you have the basics, the man pages for sudo and sudoers should make more sense.
Tutorial Pages:
» Using Sudo
» Logging
» Security
» Limiting Commands
© Copyright 2005 A.P. Lawrence
|
| Related Tutorials: » How to Install PHP 5 on Linux » How to Install Apache 2 on Linux » How to Install MySQL 5.0 on Linux » SMB Caching » Mound --Bind » Tar Wild Card Interpretation |