Sudo, configuring
| Line 1: | Line 1: | ||
| − | |||
First, install [[sudo]]. [[su]] to root and go to /usr/ports and then find out where the port is: | First, install [[sudo]]. [[su]] to root and go to /usr/ports and then find out where the port is: | ||
| Line 13: | Line 12: | ||
B-deps: | B-deps: | ||
R-deps: | R-deps: | ||
| − | + | ||
[root]@deus /usr/ports # cd security/sudo | [root]@deus /usr/ports # cd security/sudo | ||
[root]@deus /usr/ports/security/sudo # make install clean | [root]@deus /usr/ports/security/sudo # make install clean | ||
| Line 37: | Line 36: | ||
You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format: | You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format: | ||
| + | |||
| + | User_Alias allows you to define a group of users | ||
| + | Runas_Alias allows you to define the daemon or user the command can run as | ||
| + | Host_Alias allows you to define a group of hosts | ||
| + | Cmnd_Alias allows you to define which commands (full path '''must''' be given) are in a group | ||
| + | |||
| + | As an example, if my /etc/sudoers showed: | ||
| + | |||
| + | User_Alias ADMINS=jimbo | ||
| + | User_Alias DNSADMINS=peet | ||
| + | User_Alias DHCPADMINS=light | ||
| + | |||
| + | Runas_Alias DAEMONS=bind,dhcpd,sshd | ||
| + | |||
| + | Host_Alias NAMESERVERS=ns1.samizdata.mydomain.tld,ns2.samizdata.mydomain.tld | ||
| + | Host_Alias DHCPSERVERS=dhcp.mydomain.tld,dhcp2.mydomain.tld | ||
| + | |||
| + | Cmnd_Alias DNS=/usr/local/sbin/rndc,/usr/local/sbin/bind | ||
| + | Cmnd_Alias DHCP=/usr/local/sbin/dhcpd | ||
| + | |||
| + | at the top, then I could add these lines to the bottom: | ||
| + | |||
| + | ADMINS ALL=(ALL) DNS,DHCP | ||
| + | DNSADMINS NAMESERVERS=(DAEMONS) DNS | ||
| + | DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP | ||
| + | |||
| + | and this would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that '''DNS''' and '''DHCP''' specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd. | ||
| + | This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it. | ||
[[Category:System Commands]] [[Category:Ports and Packages]] | [[Category:System Commands]] [[Category:Ports and Packages]] | ||
Revision as of 01:33, 14 September 2004
First, install sudo. su to root and go to /usr/ports and then find out where the port is:
[dave]@deus ~ % sudo -bash: sudo: command not found [dave]@deus ~ % su - Password: [root]@deus ~ # cd /usr/ports && make search name=sudo Port: sudo-1.6.7.5 Path: /usr/ports/security/sudo Info: Allow others to run commands as root Maint: mharo@FreeBSD.org B-deps: R-deps: [root]@deus /usr/ports # cd security/sudo [root]@deus /usr/ports/security/sudo # make install clean
Once it's installed, you'll need to run visudo since there's no other way to edit /etc/sudoers (well, you can use another editor, but it just won't work.)
Note that visudo doesn't actually call the vi editor, just your default editor; if that happens to be vi then it will come up. Otherwise, your regular editor will come up.
/etc/sudoers has one entry in it:
root ALL=ALL(ALL) ALL
which doesn't really explain what those ALLs mean in context; so often a lot of folks will set the sudoers to give ALL=ALL(ALL) ALL to every user they add. That's nice, but you're giving all of root's power away. You might as well give users the root password and save them the hassle of using sudo at all.
The explanation:
sudo-user machine=(effective user rights) command
So, if I want to give Jimbo root access on my server, Pete root on my laptop and Light only to have access to shutdown on all my machines, my sudoers would look like:
root ALL=ALL(ALL) ALL jimbo ALL=samizdata.mydomain.tld(ALL) ALL peet ALL=deus(ALL) ALL light ALL=ALL(ALL) /sbin/shutdown
Using Aliases to make life easier
You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format:
User_Alias allows you to define a group of users Runas_Alias allows you to define the daemon or user the command can run as Host_Alias allows you to define a group of hosts Cmnd_Alias allows you to define which commands (full path must be given) are in a group
As an example, if my /etc/sudoers showed:
User_Alias ADMINS=jimbo User_Alias DNSADMINS=peet User_Alias DHCPADMINS=light Runas_Alias DAEMONS=bind,dhcpd,sshd Host_Alias NAMESERVERS=ns1.samizdata.mydomain.tld,ns2.samizdata.mydomain.tld Host_Alias DHCPSERVERS=dhcp.mydomain.tld,dhcp2.mydomain.tld Cmnd_Alias DNS=/usr/local/sbin/rndc,/usr/local/sbin/bind Cmnd_Alias DHCP=/usr/local/sbin/dhcpd
at the top, then I could add these lines to the bottom:
ADMINS ALL=(ALL) DNS,DHCP DNSADMINS NAMESERVERS=(DAEMONS) DNS DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP
and this would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that DNS and DHCP specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.
This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.
