|
Using sudoer to enhance user rights and security
Sometime users need to be granted with
special privilege(such as root) for performing some tasks, but as
System Administrator, we might want to give them only adequate
privilege right to him/her as possible. By using the 'sudoer', your can
to delegate your user to perform administrative task as if he/she has
the rights same as root (or any user rights) without giving out your
root password.
Configuration file for sudoers is stored
at /etc/sudoers in CentOS Linux. Please take note that any changes on
the /etc/sudoers has great impact for the Linux system security. You
are advised always using "visudo" command to edit /etc/sudoers file.
This is because "visudo" has the security mechanism to lock against
multiple edits and will perform integrity and syntax checking for the
file you edit.
The following example shows that james
was not in sudoers file. (the password key in is james' password)
[james@srv2 ~]$ tail
-n 3 /etc/shadow
tail: cannot open `/etc/shadow' for reading: Permission denied
[james@srv2 ~]$
sudo tail -n 3
/etc/shadow
Password:
james is not in the sudoers file. This incident will be reported.
|
NAME
visudo - edit the sudoers file
SYNOPSIS
visudo [-c] [-q] [-s] [-V] [-f sudoers]
DESCRIPTION
visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
visudo locks the sudoers file against multiple simultaneous edits, pro-
vides basic sanity checks, and checks for parse errors. If the sudoers
file is currently being edited you will receive a message to try again
later.
| How to
add user(s) and groups(s) to sudoers |
Step 1: applying "visudo" command
Note: Beware of "visudo" and "vi sudo".
"vi sudo" is merely editing on filename called sudo file, while "visudo"
is editing the file at /etc/sudoers.
Step 2: to ease the vi process, using
":set nu" numbering to our lines (those numbering are merely
shown on screen, they will not be saved.
## Sudoers allows particular
users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to
particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap
using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
:set nu
|
step 3: go to lines below 76,
add in the useraccount that granted with root privilege
73 ## The COMMANDS
section may have other options added to it.
74 ##
75 ## Allow root to run any commands anywhere
76 root ALL=(ALL) ALL
77
james ALL=(ALL) ALL
|
From the example above, please lets
discuss on the configuration guideline below:-
|
useraccount
login location=(rights granted as to other useraccount)
commands granted
james
ALL=(ALL)
ALL
|
There are some general guidelines when
editing this file:
- Groups are the same as user groups
and are differentiated from regular users by a % at the beginning.
- You can have multiple usernames per
line separated by commas.
- Multiple commands also can be
separated by commas. Spaces are considered part of the command.
- The keyword ALL can mean all
usernames, groups, commands and servers.
- If you run out of space on a line,
you can end it with a back slas
|