Sudo, configuring
m |
|||
(6 intermediate revisions by 4 users not shown) | |||
Line 33: | Line 33: | ||
light ALL=ALL(ALL) /sbin/shutdown | light ALL=ALL(ALL) /sbin/shutdown | ||
− | '''NOTE:''' remember that setting sudo rights for multiple machines in a single '''sudoers''' file is only meaningful if that file is actually shared or distributed across those multiple machines. Simply writing permissions for the machine samizdata ''on'' the machine deus isn't going to do anything useful by itself. | + | Finally, if you just want to give yourself [[root]] access on your server via sudo with no password, your sudoers might look like: |
+ | root ALL=ALL(ALL) ALL | ||
+ | yourself ALL=(ALL) NOPASSWD: ALL | ||
+ | |||
+ | '''NOTE:''' remember that setting sudo rights for multiple machines in a single '''sudoers''' file is only meaningful if that file is actually shared or distributed across those multiple machines. Simply writing permissions for the machine samizdata ''on'' the machine deus isn't going to do anything useful by itself. You would need to copy the file contents over to all the machines that are listed (and then [[kill]] -HUP the sudo process, if it's running,) in order to make the changes meaningful. | ||
==Using Aliases to make life easier== | ==Using Aliases to make life easier== | ||
Line 39: | Line 43: | ||
You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format: | You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format: | ||
− | User_Alias allows you to define a group of users | + | '''User_Alias''' allows you to define a group of users |
− | Runas_Alias allows you to define the daemon or user the command can run as | + | '''Runas_Alias''' allows you to define the daemon or user the command can run as |
− | Host_Alias allows you to define a group of hosts | + | '''Host_Alias''' allows you to define a group of hosts |
− | Cmnd_Alias allows you to define which commands (full path '''must''' be given) are in a group | + | '''Cmnd_Alias''' allows you to define which commands (full path '''must''' be given) are in a group |
You ''can'' use already existing system groups, but you have to add the prefix % (e.g., %wheel) | You ''can'' use already existing system groups, but you have to add the prefix % (e.g., %wheel) | ||
Line 70: | Line 74: | ||
This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it. | This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it. | ||
− | [[Category:System Commands]] [[Category:Ports and Packages]] | + | [[Category:System Commands]] [[Category:Ports and Packages]] [[Category:Configuring FreeBSD]][[Category:Securing FreeBSD]] |
Latest revision as of 23:56, 13 December 2005
First, install sudo. su to root and go to /usr/ports and then find out where the port is:
[dave]@deus ~ % sudo -bash: sudo: command not found [dave]@deus ~ % su - Password: [root]@deus ~ # cd /usr/ports && make search name=sudo Port: sudo-1.6.7.5 Path: /usr/ports/security/sudo Info: Allow others to run commands as root Maint: mharo@FreeBSD.org B-deps: R-deps: [root]@deus /usr/ports # cd security/sudo [root]@deus /usr/ports/security/sudo # make install clean
Once it's installed, you'll need to run visudo since there's no other way to edit /etc/sudoers (well, you can use another editor, but it just won't work.)
Note that visudo doesn't actually call the vi editor, just your default editor; if that happens to be vi then it will come up. Otherwise, your regular editor will come up.
/etc/sudoers has one entry in it:
root ALL=ALL(ALL) ALL
which doesn't really explain what those ALLs mean in context; so often a lot of folks will set the sudoers to give ALL=ALL(ALL) ALL to every user they add. That's nice, but you're giving all of root's power away. You might as well give users the root password and save them the hassle of using sudo at all.
The explanation:
sudo-user machine=(effective user rights) command
So, if I want to give Jimbo root access on my server, Pete root on my laptop and Light only to have access to shutdown on all my machines, my sudoers would look like:
root ALL=ALL(ALL) ALL jimbo ALL=samizdata.mydomain.tld(ALL) ALL peet ALL=deus(ALL) ALL light ALL=ALL(ALL) /sbin/shutdown
Finally, if you just want to give yourself root access on your server via sudo with no password, your sudoers might look like:
root ALL=ALL(ALL) ALL yourself ALL=(ALL) NOPASSWD: ALL
NOTE: remember that setting sudo rights for multiple machines in a single sudoers file is only meaningful if that file is actually shared or distributed across those multiple machines. Simply writing permissions for the machine samizdata on the machine deus isn't going to do anything useful by itself. You would need to copy the file contents over to all the machines that are listed (and then kill -HUP the sudo process, if it's running,) in order to make the changes meaningful.
[edit] Using Aliases to make life easier
You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format:
User_Alias allows you to define a group of users Runas_Alias allows you to define the daemon or user the command can run as Host_Alias allows you to define a group of hosts Cmnd_Alias allows you to define which commands (full path must be given) are in a group You can use already existing system groups, but you have to add the prefix % (e.g., %wheel)
As an example, if my /etc/sudoers showed:
User_Alias ADMINS=jimbo User_Alias DNSADMINS=peet User_Alias DHCPADMINS=light Runas_Alias DAEMONS=bind,dhcpd,sshd Host_Alias NAMESERVERS=ns1.samizdata.mydomain.tld,ns2.samizdata.mydomain.tld Host_Alias DHCPSERVERS=dhcp.mydomain.tld,dhcp2.mydomain.tld Cmnd_Alias DNS=/usr/local/sbin/rndc,/usr/local/sbin/bind Cmnd_Alias DHCP=/usr/local/sbin/dhcpd
at the top, then I could add these lines to the bottom:
ADMINS ALL=(ALL) DNS,DHCP DNSADMINS NAMESERVERS=(DAEMONS) DNS DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP
Note that there are no spaces between the users and commas, likewise, servers and commands only have a comma seperating them -- no spaces. This would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that DNS and DHCP specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.
This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.