分类: LINUX
2008-10-08 12:09:07
visudo allows you to tailor the /etc/sudoers file which determines who may run what commands using sudo. My sudoers file looks like this:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
%users ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom
# %users localhost=/sbin/shutdown -h now
You will notice that user root as well as 'wheel' members are allowed to run any command with root privileges using sudo. You could opt for the alternative to allow the 'wheel' members to not even enter their own password when runniing sudo, but I think entering the password gives you just that little time to re-think what you're doing before it is too late 
Limiting the invocation of su is possible too, by writing a file called /etc/suauth. There is a man page for that: man suauth. My file always looks like this (do not forget to set it accessible to root only by running chmod 600 /etc/suauth):
# sample /etc/suauth file
#
# A couple of privileged usernames may
# su to root with their own password.
#
root:alien:OWNPASS
#
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
#
root:ALL EXCEPT GROUP wheel:DENY
You will notice that not being member of 'wheel' means you will not be able to use su to get a root shell. The command sudo bash -l will of course get you that shell just as easily, but the use of sudo is logged (or should be logged if you're security minded). An interesting line is ”root:alien:OWNPASS”
which allows user 'alien' to become root using his own password. This
is a nice way of not having to share the sensitive root password with
others and still alowing those others to run a root shell without
having their actions logged.