Akemi Yagi a écrit :
Excellent! Guess Alan can polish it up if needed :-D
Akemi
Your help is also welcome ;)
Here is what I wrote. I wrote it without wiki syntax so someone will
surely polish it up.
Regards,
Nils
You don't need to be root everytime you want to run some specific
administrative tasks.
Thanks to sudo, you can run some or every command as root.
Once sudo is installed (package name : sudo), you can configure it by running
visudo as root. Basically, it runs vi on /etc/sudoers, but it is not
recommended to do it manually.
If you are on a desktop computer, you will want to be able to do almost
everything. So, the quick and dirty way to use sudo would be to add at the end
of the sudoers file :
bob ALL=(ALL) ALL
where bob is the name of the user. Save (press escape, then type ZZ), and you
are ready to go. Log in as bob, and run for example :
$sudo yum update
sudo will ask for a password. This password is bob's password, and not root's
password, so be careful when you give rights to a user with sudo.
But sudo can do more. We can allow an user or a group of users to run only one
command, or a group of commands. Let's go back to our sudoers file (which is,
by the way, well commented on CentOS 5).
Let's start with bob and alice, members of a group named admin. If we want
every users of "admin" to be able to run every command as root, we can modify
our example :
%admin ALL=(ALL) ALL
bob can still do his stuff, and alice is now allowed to run sudo, with the same
rights, with her password.
If bob and alice are not in the same group, we can define a user alias in the
sudoers file :
User_Alias ADMINS = alice, bob
here we define an alias named ADMINS, with alice and bob as members.
However, we don't want alice and bob to run every command as root, we want them
to run only updatedb. Let's define a command alias :
Cmnd_Alias LOCATE = /usr/sbin/updatedb
But it's not enough ! We need to tell sudo the users defined in ADMINS can run
the commands defined in LOCATE. To do this, we replace the line with "%admin"
with this line :
ADMINS ALL = LOCATE
it means that users of alias ADMINS can run ALL the commands in the LOCATE
alias.
At this time, /etc/sudoers looks like this :
User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
ADMINS ALL = LOCATE
alice and bob should be able to run updatedb as root, by giving their password.
If we replace the last line of the file with :
ADMINS ALL = NOPASSWD: LOCATE
alice and bob can run "sudo updatedb" without entering a password. It is
possible to add more commands in a command alias and more aliases in the rule.
For example, we can create an alias named NETWORKING containing some networking
commands like ifconfig, route or iwconfig :
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient,
/usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig,
/sbin/mii-tool
Let's add this to our /etc/sudoers file (with visudo !), and give it access to
our ADMINS group of users, the /etc/sudoers now looks like this :
User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient,
/usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig,
/sbin/mii-tool
ADMINS ALL = LOCATE, NETWORKING
A little try : log in as alice (or bob), and type :
$ping -c 10 -i 0 localhost
the answer should come quickly :
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
Now, let's sudo it :
$sudo ping -c 10 -i 0 localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.021 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.030 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=5 ttl=64 time=0.017 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=6 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=7 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=8 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=9 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=10 ttl=64 time=0.016
ms
--- localhost.localdomain ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 0.016/0.023/0.049/0.010 ms, ipg/ewma 0.187/0.028 ms
That's it. Now never forget, when using sudo : "with great power comes great
responsibility".
_______________________________________________
CentOS-docs mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos-docs
