Chinaunix首页 | 论坛 | 博客
  • 博客访问: 150296
  • 博文数量: 52
  • 博客积分: 1410
  • 博客等级: 上尉
  • 技术积分: 490
  • 用 户 组: 普通用户
  • 注册时间: 2007-11-05 12:05
文章分类

全部博文(52)

文章存档

2013年(1)

2010年(3)

2009年(6)

2008年(25)

2007年(17)

我的朋友

分类: LINUX

2009-04-19 19:02:12

 

SUDO

The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what).

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

Two of the best advantages about using sudo are:

  • Restringed privileges
  • Logs of the actions done by users

Well but in order to use sudo we first need to configure the sudoers file.

 

#visodo

 

Normally visudo open file /etc/sudoers with vi editor.

 

As describe above, sudo support two syntax, aliases and who may run command as what role. Take example.

 

User_Alias WEBMASTERS = will, wendy, wim

Runas_Alias     DB = oracle, sybase

Host_Alias  SERVERS = master, mail, www, ns

Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \

                      /usr/local/bin/tcsh, /usr/bin/rsh, \

                      /usr/local/bin/zsh

 

 

 

So

 

WEBMASTERS  SERVERS = (DB) !SHELLS, ALL

 

Means users in alias WEBMASTERS can run all command except group of commands in SHELLS aliases as account in DB group.

 

Well, acording to this piont read following sample will make you know the setting of SUDO.

 

 



#  sudo sample file from

#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
 
##
# User alias specification
##
User_Alias     FULLTIMERS = millert, mikef, dowdy
User_Alias     PARTTIMERS = bostley, jwfox, crawl
User_Alias     WEBMASTERS = will, wendy, wim
 
##
# Runas alias specification
##
Runas_Alias    OP = root, operator
Runas_Alias    DB = oracle, sybase
 
##
# Host alias specification
##
Host_Alias     SPARC = bigtime, eclipse, moet, anchor:\
               SGI = grolsch, dandelion, black:\
               ALPHA = widget, thalamus, foobar:\
               HPPA = boa, nag, python
Host_Alias     CUNETS = 128.138.0.0/255.255.0.0
Host_Alias     CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias     SERVERS = master, mail, www, ns
Host_Alias     CDROM = orion, perseus, hercules
 
##
# Cmnd alias specification
##
Cmnd_Alias     DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
                       /usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias     KILL = /usr/bin/kill
Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias     HALT = /usr/sbin/halt, /usr/sbin/fasthalt
Cmnd_Alias     REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                        /usr/local/bin/tcsh, /usr/bin/rsh, \
                        /usr/local/bin/zsh
Cmnd_Alias     SU = /usr/bin/su
Cmnd_Alias     VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
                      /usr/bin/chfn
 
##
# Override built-in defaults
##
Defaults               syslog=auth
Defaults:FULLTIMERS    !lecture
Defaults:millert       !authenticate
Defaults@SERVERS       log_year, logfile=/var/log/sudo.log
 
##
# User specification
##
 
# root and users in group wheel can run anything on any machine as any user
root           ALL = (ALL) ALL
%wheel         ALL = (ALL) ALL
 
# full time sysadmins can run anything on any machine without a password
FULLTIMERS     ALL = NOPASSWD: ALL
 
# part time sysadmins may run anything but need a password
PARTTIMERS     ALL = ALL
 
# jack may run anything on machines in CSNETS
jack           CSNETS = ALL
 
# lisa may run any command on any host in CUNETS (a class B network)
lisa           CUNETS = ALL
 
# operator may run maintenance commands and anything in /usr/oper/bin/
operator       ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
               /usr/oper/bin/
 
# joe may su only to operator
joe            ALL = /usr/bin/su operator
 
# pete may change passwords for anyone but root on the hp snakes
pete           HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
 
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob            SPARC = (OP) ALL : SGI = (OP) ALL
 
# jim may run anything on machines in the biglab netgroup
jim            +biglab = ALL
 
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries   ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
 
# fred can run commands as oracle or sybase without a password
fred           ALL = (DB) NOPASSWD: ALL
 
# on the alphas, john may su to anyone but root and flags are not allowed
john           ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
 
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen            ALL, !SERVERS = ALL
 
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill           SERVERS = /usr/bin/, !SU, !SHELLS
 
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve          CSNETS = (operator) /usr/local/op_commands/
 
# matt needs to be able to kill things on his workstation when
# they get hung.
matt           valkyrie = KILL
 
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www
 
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL            CDROM = NOPASSWD: /sbin/umount /CDROM,\
               /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

 

阅读(713) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~