![]() ![]() Sudo is a dangerous beast in several respects. ![]() In this way, you can find out which user has been meddling. Is not allowed to reboot the computer: klaus marvin=(ALL) !/sbin/rebootĬalls usually end up in the syslog, whereas Ubuntu uses the /var/log/auth.logįile. To do this, just add a leading exclamation mark to the program name. This lets the admin prevent klausįrom running a specific program. For the other defaults, check out the man page ( man 5 sudoers , users have to type their passwords every time they run sudo It tells sudo to forget the password for all users after 15 seconds. Also useful is the following line: Defaults timestamp_timeout=15 Retains the password, once it has been entered. Both of these measures are designed to make attacks more difficult. Variable (i.e., the directories in which Linux can find the programs to be executed). Resets the environmental variables, and secure_path In the parentheses indicates the allowed group name thus, klausĬan run the command as any user from any group.Ĭhanges a default setting in sudo. Listing 1: Ubuntu 12.04 /etc/sudoers file # Redefine environmental variables:ĭefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" , can do everything, and the remaining users can do nothing. The leading percent sign tells sudo that this is a group and not an individual user, which is how Ubuntu grants all administrators access to system functions.Ĭonfiguration file for Ubuntu I’ve left out the comments for easier reading: root, the users from the admin The following line equates klausĪs an alternative to individual users, the sudoers file can also grant access to all the members of a group, such as admin The universal ALLĬan also be used for other parameters. Run multiple programs or commands, just add a comma-separated list: klaus marvin=(ALL) NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgradeĬan update the package database and install updates but cannot install any new programs. The command to be executed comes at the end of the line. In front of the program name in the configuration file. This is not required if you put NOPASSWD: Option for the desired user is optional in the case of root. To choose any user account, including the root The details in the parentheses specify from which accounts klausĬould only launch the program as user tim Sudo executes a command under a different user account. For an address range, just specify the subnet: klaus 192.168.2.0/255.255.255.0=(ALL)NOPASSWD:/usr/bin/apt-get upgradeĬan only run the command if he is working on a machine with an IP address in the range 192.168.2.1 through 192.168.2.254. As an alternative to the hostname, you can also specify the IP address. ![]() The administrator should check that the specified hostname matches the output from the hostnameĬommand and cross-check against the content of the /etc/hosts , this likely has something to do with name resolution. If Klaus sees an error message to the effect that klaus is not allowed to run sudo on É In this case, he must be working on his own computer, marvin The line starts with the username and is followed by the host on which klaus , you would add the following line to the /etc/sudoersįile: klaus marvin=(ALL) NOPASSWD:/usr/bin/apt-get upgrade Which users are allowed to use sudo with what programs is defined in the /etc/sudoersĬonfiguration file. Tools runs commands with a different user’s account. Or the PolicyKit authorization service to allow specific actions in a targeted way. Requires administrative privileges, and you would not typically want to grant those to a regular user. For admins, it would be a relief if regular users were able to handle minor management tasks, such as updating software, themselves. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |