Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1097340
  • 博文数量: 242
  • 博客积分: 10209
  • 博客等级: 上将
  • 技术积分: 3028
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-12 09:27
文章分类

全部博文(242)

文章存档

2014年(1)

2013年(1)

2010年(51)

2009年(65)

2008年(124)

我的朋友

分类: LINUX

2008-10-08 12:09:07

The command visudo allows you to tailor the /etc/sudoers file which determines who may run what commands using sudo. My sudoers file looks like this:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
%users ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom
# %users localhost=/sbin/shutdown -h now

You will notice that user root as well as 'wheel' members are allowed to run any command with root privileges using sudo. You could opt for the alternative to allow the 'wheel' members to not even enter their own password when runniing sudo, but I think entering the password gives you just that little time to re-think what you're doing before it is too late :-)

Limiting the invocation of su is possible too, by writing a file called /etc/suauth. There is a man page for that: man suauth. My file always looks like this (do not forget to set it accessible to root only by running chmod 600 /etc/suauth):

# sample /etc/suauth file
#
# A couple of privileged usernames may
# su to root with their own password.
#
root:alien:OWNPASS
#
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
#
root:ALL EXCEPT GROUP wheel:DENY

You will notice that not being member of 'wheel' means you will not be able to use su to get a root shell. The command sudo bash -l will of course get you that shell just as easily, but the use of sudo is logged (or should be logged if you're security minded). An interesting line is ”root:alien:OWNPASS” which allows user 'alien' to become root using his own password. This is a nice way of not having to share the sensitive root password with others and still alowing those others to run a root shell without having their actions logged.

阅读(972) | 评论(0) | 转发(0) |
0

上一篇:wheel组

下一篇:su和sudo(转载)

给主人留下些什么吧!~~