pavement

Sudo

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Gotchas)
(Gotchas)
Line 14: Line 14:
 
1. You can use the -u flag to set a user to run as. (e.g.: '''su -u named /usr/local/sbin/rndc reload''')
 
1. You can use the -u flag to set a user to run as. (e.g.: '''su -u named /usr/local/sbin/rndc reload''')
  
2. [[sudo]] is a [[setuid]] binary. Be '''careful''' what you set as sudo-able; if you let sudo run interactive commands (e.g., shells, editors, compilers/interpreters) users will be able to exploit this to get arbitrary commands to run inconspicously.  Similarly, make very certain that users don't have write permissions on any file they are allowed to use [[sudo]] to run.  For more information on how to limit [[sudo]], see [[Configuring_sudo]].
+
2. [[sudo]] is a [[setuid]] binary. Be '''careful''' what you set as sudo-able; if you let sudo run interactive commands (e.g., shells, editors, compilers/interpreters), users will be able to exploit this to inconspiciously run arbitrary commands as root.  Similarly, make very certain that users don't have write permissions on any file they are allowed to use [[sudo]] to run.  For more information on how to limit [[sudo]], see [[Configuring_sudo]].
  
  
 
[[Category:System Commands]] [[Category:Ports and Packages]]
 
[[Category:System Commands]] [[Category:Ports and Packages]]

Revision as of 08:55, 14 September 2004

sudo allows a user to run a program or perform a task without having to login as root directly or even knowing the root password. sudo works by authenticating the user (with the user's password) against the /etc/sudoers file that gives specific rights to run sudo. Note that you have to use visudo to edit /etc/sudoers, and that you have to do it as root; you can't do it any other way.

Good side of sudo

It limits access to the root password, while still enabling administrative functions.

Very configurable, allows you to specify which groups or specific users have access to specific files or functions

Bad side of sudo

Difficult to configure correctly (or rather, really easy to misconfigure if you're not sure of what you're doing).


Gotchas

1. You can use the -u flag to set a user to run as. (e.g.: su -u named /usr/local/sbin/rndc reload)

2. sudo is a setuid binary. Be careful what you set as sudo-able; if you let sudo run interactive commands (e.g., shells, editors, compilers/interpreters), users will be able to exploit this to inconspiciously run arbitrary commands as root. Similarly, make very certain that users don't have write permissions on any file they are allowed to use sudo to run. For more information on how to limit sudo, see Configuring_sudo.

Personal tools