Sudo Settings2015/11/25 |
Configure Sudo to separate users' duty if some people share privileges.
It's unnecessarry to install sudo manually because it is installed by default even if "Minimal Install".
|
|
[1] | For SUSE Linux, root password is required when using sudo by default settings, so, change it that users can authenticate with their own password when using sudo. |
dlp:~ #
# line 35,36: comment out # Defaults targetpw# ALL ALL=(ALL) ALL
|
[2] | Transfer root privilege to a user all. |
dlp:~ #
# add to the end: user 'suse' can use all root privilege suse ALL=(ALL) ALL # how to write ⇒ destination host=(owner) command # verify with user "suse" suse@dlp:~> /bin/cat /etc/shadow /bin/cat: /etc/shadow: Permission denied # denied normally
suse's password:
...# own password
... uucp:*:16357:::::: wwwrun:*:16357:::::: # just executed
|
[3] | In addition to the setting [1], set that some commands are not allowed. |
dlp:~ #
# near line 30: add aliase for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init # add ( commands in aliase 'SHUTDOWN' are not allowed ) suse ALL=(ALL) ALL, !SHUTDOWN
# verify with user "suse" suse@dlp:~> Password: Sorry, user suse is not allowed to execute '/sbin/shutdown -r now' as root on dlp. # 拒否された
|
[4] | Transfer some commands with root privilege to users in a group. |
dlp:~ #
# near line 30: add aliase for the kind of user management comamnds Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \ /usr/bin/passwd # add to the end %usermgr ALL=(ALL) USERMGR # verify with user "suse" suse@dlp:~> sudo /usr/sbin/useradd testuser suse@dlp:~> # done normally suse@dlp:~> sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: # set testuser's password Retype new UNIX password: passwd: all authentication tokens updated successfully. |
[5] | Transfer a command with root privilege to a user. |
dlp:~ #
# add at the end suse ALL=(ALL) /usr/sbin/visudo cent ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/passwd ubuntu ALL=(ALL) /usr/bin/vi # verify with user "suse" # possible to open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # verify with user "cent" cent@dlp:~>
cent@dlp:~>
# done normally # verify with user "ubuntu" # possible to open and edit # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that |
[6] | The logs for sudo are kept in '/var/log/messages', but there are many kind of logs in it. If you'd like to keep only sudo's log in another file, Configure like follows. |
dlp:~ #
# add to the end
Defaults syslog=local7
dlp:~ #
vi /etc/syslog-ng/syslog-ng.conf # line 84: remove "local7" filter f_local { facility(local0, local1, local2, local3, local4, local5, local6); }; # line 87: add
filter f_sudo { facility(local7); };
# line 99: add filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_sudo) ; };
# line 219: add
destination sudolog { file("/var/log/sudo.log"); };
log { source(src); filter(f_sudo); destination(sudolog); }; /etc/init.d/syslog restart Shutting down syslog services Starting syslog services |
Sponsored Link |
|