49.11. Providing Superpowers with sudoYou may not want to give people access to the root password just to give them access to specific superuser powers. In cases such as this, you should consider using sudo -- an application that enables specified users to execute applications that normally require root privileges. The sudo application isn't installed by default on all systems, but it is available for most. You can find out if it's installed on your system by typing sudo at the command line. If it isn't installed, check online for versions that run on your machine. The application's home is at http://www.courtesan.com/sudo/index.html. The sudo configuration file is called sudoers and is installed in the /etc subdirectory. In Darwin, the default sudoers file has the following settings: root ALL=(ALL) ALL %admin ALL=(ALL) ALL In the file, root has open access to all applications. In addition, all members of the admin group (equivalent to wheel within Darwin) can also run all commands. Without getting into too much detail (an online sudoers manual is at http://www.courtesan.com/sudo/man/sudoers.html), the sudoers file can consist of a set of aliases, used to define groups of people, commands, hosts, or run as options. It then defines rules by which specific users or group of users can run specific commands. There are four types of aliases:
Examples of aliases are: User_Alias SYSADMINS = shelleyp, mike, tomd Runas_Alias OP = root Host_Alias BB = burningbird Cmnd_Alias SU = /usr/bin/su Following the aliases are override rules in reference to system defaults. For instance, warnings and "lectures" can be attached to certain commands to ensure that people are aware of the repercussions of their actions. However, people who are sysadmins shouldn't be subjected to these rules; the lectures can be turned off for them: Defaults:SYSADMINS !lecture Neither aliases nor default overriding rules are required in the sudoers file. The only statements that are required are the command rules. In the Darwin file, the rules allowed root and admin access of all commands. Other rules that can be created are: # sysadmins can run all commands, without password SYSADMINS ALL = NOPASSWD: ALL # chris can run anything on the burningbird machine as OP (root) chris BB = (OP) ALL # joe can run SU on burningbird as root joe BB = (root) SU To edit the sudoers file, you use a specialized editing tool, visudo (see manual at http://www.courtesan.com/sudo/man/visudo.html), while logged in as root. The editor prevents collision between multiple authors and also verifies the correctness of the edits. To work with sudo (manual at http://www.courtesan.com/sudo/man/sudo.html), type sudo and the command you want to exit: % sudo vi test Depending on your setup, you'll get a warning or a password prompt, or the command will fail or execute. One interesting side effect of sudo is that if you allow root access to an application that has shell escape, such as vi, you are indirectly giving that person access to a root shell. Use sudo with caution. -- SP Copyright © 2003 O'Reilly & Associates. All rights reserved. |
|