|
Sudo Settings
2015/11/21 |
|
Configure Sudo to separate users' duty if some people share privileges.
It's unnecessarry to install sudo manually because it is installed by default even if Minimal Install.
|
|
| [1] | For SUSE Linux, root password is required when using sudo by default settings, so, change it that users can authenticate with their own password when using sudo. |
|
dlp:~ #
# line 63,64: comment out # Defaults targetpw# ALL ALL=(ALL) ALL
|
| [2] | Transfer root privilege to a user all. |
|
dlp:~ #
# add to the end: user 'suse' can use all root privilege suse ALL=(ALL) ALL # how to write ⇒ destination host=(owner) command # verify with user "suse" suse@dlp:~> /bin/cat /etc/shadow /bin/cat: /etc/shadow: Permission denied # denied normally
suse's password:
...# own password
... uucp:*:16357:::::: wwwrun:*:16357:::::: # just executed
|
| [3] | In addition to the setting [1], set that some commands are not allowed. |
|
dlp:~ #
# near line 30: add aliase for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init # add ( commands in aliase 'SHUTDOWN' are not allowed ) suse ALL=(ALL) ALL, !SHUTDOWN
# verify with user "suse" suse@dlp:~> Password: Sorry, user suse is not allowed to execute '/sbin/shutdown -r now' as root on dlp. # æ‹’å¦ã•ã‚ŒãŸ
|
| [4] | Transfer some commands with root privilege to users in a group. |
|
dlp:~ #
# near line 30: add aliase for the kind of user management comamnds Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \ /usr/bin/passwd # add to the end %usermgr ALL=(ALL) USERMGR # verify with user "suse" suse@dlp:~> sudo /usr/sbin/useradd testuser suse@dlp:~> # done normally suse@dlp:~> sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: # set testuser's password Retype new UNIX password: passwd: all authentication tokens updated successfully. |
| [5] | Transfer a command with root privilege to a user. |
|
dlp:~ #
# add at the end suse ALL=(ALL) /usr/sbin/visudo cent ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/passwd ubuntu ALL=(ALL) /usr/bin/vi # verify with user "suse" # possible to open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # verify with user "cent" cent@dlp:~>
cent@dlp:~>
# done normally # verify with user "ubuntu" # possible to open and edit # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that |
| [6] | The logs for sudo are kept in '/var/log/secure', but there are many kind of logs in it. If you'd like to keep only sudo's log in another file, Configure like follows. |
|
dlp:~ #
# add to the end
Defaults syslog=local1
dlp:~ #
vi /etc/rsyslog.conf # line 160: add
*.*;mail.none;news.none;local1.none -/var/log/messages
# line 172: remove "local1" local0.* -/var/log/localmessages # add to the end local1.* /var/log/sudo.log systemctl restart rsyslog |