pavement

Sudo, configuring

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Using Aliases to make life easier)
(Using Aliases to make life easier)
Line 64: Line 64:
 
  DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP
 
  DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP
  
and this would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that '''DNS''' and '''DHCP''' specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.
+
Note that there are no spaces between the users and commas, likewise, servers and commands only have a comma seperating them -- '''no spaces'''. This would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that '''DNS''' and '''DHCP''' specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.
  
 
This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.
 
This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.
  
 
[[Category:System Commands]] [[Category:Ports and Packages]]
 
[[Category:System Commands]] [[Category:Ports and Packages]]

Revision as of 03:13, 14 September 2004

First, install sudo. su to root and go to /usr/ports and then find out where the port is:

[dave]@deus ~ % sudo
-bash: sudo: command not found
[dave]@deus ~ % su -
Password:
[root]@deus ~ # cd /usr/ports && make search name=sudo
Port:   sudo-1.6.7.5
Path:   /usr/ports/security/sudo
Info:   Allow others to run commands as root
Maint:  mharo@FreeBSD.org
B-deps:
R-deps:

[root]@deus /usr/ports # cd security/sudo
[root]@deus /usr/ports/security/sudo # make install clean

Once it's installed, you'll need to run visudo since there's no other way to edit /etc/sudoers (well, you can use another editor, but it just won't work.)

Note that visudo doesn't actually call the vi editor, just your default editor; if that happens to be vi then it will come up. Otherwise, your regular editor will come up.

/etc/sudoers has one entry in it:

root ALL=ALL(ALL) ALL

which doesn't really explain what those ALLs mean in context; so often a lot of folks will set the sudoers to give ALL=ALL(ALL) ALL to every user they add. That's nice, but you're giving all of root's power away. You might as well give users the root password and save them the hassle of using sudo at all.

The explanation:

sudo-user machine=(effective user rights) command

So, if I want to give Jimbo root access on my server, Pete root on my laptop and Light only to have access to shutdown on all my machines, my sudoers would look like:

root ALL=ALL(ALL) ALL
jimbo ALL=samizdata.mydomain.tld(ALL) ALL
peet  ALL=deus(ALL) ALL
light ALL=ALL(ALL) /sbin/shutdown

Using Aliases to make life easier

You can make groups within the sudoers file so that you don't have to type more than you need to. Follow this format:

User_Alias allows you to define a group of users
Runas_Alias allows you to define the daemon or user the command can run as
Host_Alias allows you to define a group of hosts
Cmnd_Alias allows you to define which commands (full path must be given) are in a group

You can use already existing system groups, but you have to add the prefix % (e.g., %wheel)

As an example, if my /etc/sudoers showed:

User_Alias ADMINS=jimbo
User_Alias DNSADMINS=peet
User_Alias DHCPADMINS=light

Runas_Alias DAEMONS=bind,dhcpd,sshd

Host_Alias NAMESERVERS=ns1.samizdata.mydomain.tld,ns2.samizdata.mydomain.tld
Host_Alias DHCPSERVERS=dhcp.mydomain.tld,dhcp2.mydomain.tld

Cmnd_Alias DNS=/usr/local/sbin/rndc,/usr/local/sbin/bind
Cmnd_Alias DHCP=/usr/local/sbin/dhcpd

at the top, then I could add these lines to the bottom:

ADMINS ALL=(ALL) DNS,DHCP
DNSADMINS NAMESERVERS=(DAEMONS) DNS
DHCPADMINS DHCPSERVERS=(DAEMONS) DHCP

Note that there are no spaces between the users and commas, likewise, servers and commands only have a comma seperating them -- no spaces. This would essentially give jimbo rights to do root-priviledge stuff with any server, as any daemon, but only using the commands that DNS and DHCP specify; peet would only get root access to NAMESERVERS, only run as the DAEMONS, and only use the commands in DNS. Light would only get root access to DHCPSERVERS, run as DAEMONS and only be able to run /usr/local/sbin/dhcpd.

This is ideal if you have a) a lot of servers and/or b) a lot of admins with specific functions, that don't need complete access to the machine, but do need some sort of administrative rights on it.

Personal tools