![]() # the root user, without needing the root password. ![]() # Sudoers allows particular users to run various commands as IP addresses can be used instead of host names in the host aliases. Some hosts, such as servers, can thus be configured as a group to give some users access to specific commands, such as the ability to start and stop services like HTTPD, DNS, and networking to mount filesystems and so on. The basic idea is that this single file will be maintained for all hosts in an organization and copied to /etc of each host. The host aliases section is used to create groups of hosts on which commands or command aliases can be used to provide access. ![]() Let's start analyzing this file at the beginning with a couple types of aliases. It is possible to use editors besides Vi in the same way as visudo. Use the visudo command because it is designed to enable any changes as soon as the file is saved and you exit the editor. Incidentally, I've found that the default configuration files in Red Hat-based distributions tend to have lots of comments and examples to provide guidance, which makes things easier, with less online searching required.ĭo not use your standard editor to modify the sudoers file. Hopefully it won't be quite so obscure for you by the time you get through this analysis. I found the sudoers file very confusing at first, so below I have copied and deconstructed the entire sudoers file from the host on which I am using it. This flexibility is key to both the power and the simplicity of using sudo for delegation. Configuring the sudoers fileĪs a sysadmin, I can use the /etc/sudoers file to allow users or groups of users access to a single command, defined groups of commands, or all commands. It allows these functions to be delegated while protecting the security of the root password. ![]() It can allow the sysadmin to delegate authority for managing network functions or specific services to a single person or to a group of trusted users. I have done this to delegate authority to myself and one other user to run a single program however, sudo can be used to do so much more. I can see who did what and whether they entered the command correctly. I find it helpful to have the log of each command run by sudo for training. This data is logged in /var/log/security. Also, sudo logs the facts of the access to myprog with the date and time the program was run, the complete command, and the user who ran it. After ruser enters their password, the program runs. If so, sudo requests that the user enter their password-not the root password. The sudo program checks the /etc/sudoers file and verifies that ruser is permitted to run myprog. First, the user logs in as ruser with their own password, then uses the following command to run myprog. Let's assume, for example, that I have given regular user, "ruser," access to my Bash program, "myprog," which must be run as root to perform parts of its functions. It allows me to perform that delegation without compromising the root password, thus maintaining a high level of security on the host. The sudo program is a handy tool that allows me as a sysadmin with root access to delegate responsibility for all or a few administrative tasks to other users of the computer. This protects the system against accidental damage, such as that caused by my own stupidity, and intentional damage by a user with malicious intent. Many Linux commands require the user to be root in order to run. So, I write scripts to automate those tasks and use sudo to anoint a couple of users to run the scripts. Even when I am present, as the "lazy sysadmin," I like to have others do my work for me. It is not that I cannot run the program myself, but for various reasons, including travel and illness, I am not always there. Free online course: RHEL Technical Overview.Unfortunately, this organization has only a few people who have any interest in administering our audio and computer systems, which puts me in the position of finding semi-technical people and training them to log into the computer used to perform the transfer and run this little program. My program, as wonderful as it is, must run as root to perform its primary functions. This nice little program has a few options, such as -h to display help, -t for test mode, and a couple of others. It also deletes all the files on the USB drive after verifying that the transfer completed correctly. My program does a few other things, such as changing the name of the files before they are copied so they are automatically sorted by date on the webpage. The files are copied to a specific directory on the server that I run for a volunteer organization, from where the files can be downloaded and played. I recently wrote a short Bash program to copy MP3 files from a USB thumb drive on one network host to another network host.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |