From my mail bag:
I would like to run
few commands such as stop or start web server as a root user. How do I allow a
normal user to run these commands as root?
You need to use the sudo command which is use to execute a command as another
user. It allows a permitted user to execute a command as the superuser or
another user, as specified in the /etc/sudoers (config file that defines or
list of who can run what) file. The sudo command allows users to do tasks on a
Linux system as another user.
sudo command
sudo
is more more secure than su command. By default it logs sudo usage, command and
arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).
If the
invoking user is root or if the target user is the same as the invoking user,
no password is required. Otherwise, sudo requires that users authenticate
themselves with a password by default. Once a user has been authenticated, a
timestamp is updated and the user may then use sudo without a password for a
short period of time (15 minutes unless overridden in sudoers).
/etc/sudoers
Syntax
Following is general syntax used by
/etc/sudoers file:
USER HOSTNAME=COMMAND
Where,
USER HOSTNAME=COMMAND
Where,
Ø USER: Name of normal user
Ø HOSTNAME: Where command is
allowed to run. It is the hostname of the system where this rule applies. sudo
is designed so you can use one sudoers file on all of your systems. This space
allows you to set per-host rules.
Ø COMMAND: A simple filename
allows the user to run the command with any arguments he/she wishes. However,
you may also specify command line arguments (including wildcards). Alternately,
you can specify "" to indicate that the command may only be run
without command line arguments.
How
do I use sudo?
Give user rokcy access to halt/shutdown
command and restart Apache web server. First, Login as root user. Use visudo
command edit the config file:
# visudo
Append the following
lines to file:
rokcy localhost=/sbin/halt rokcy dbserver=/etc/init.d/apache-perl restart
Save and close file .
Now rokcy user can restart Apache web server by typing the following command:
$ sudo /etc/init.d/apache-perl restart
Output:
Password:
Restarting apache-perl 1.3 web server....
The sudo command has
logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Sample outputs:
May 13 08:37:43 debian sudo: rokcy : TTY=pts/4 ; PWD=/home/rokcy
; USER=root ; COMMAND=/etc/init.d/apache-perl restart
If rokcy want to
shutdown computer he needs to type command:
$ sudo /sbin/halt
Output:
Password:
Before running a
command with sudo, users usually supply their password. Once authenticated, and
if the /etc/sudoers configuration file permits the user access, then the
command is run. sudo logs each command run.
Examples
a)
Allow exeadmin to run various commands:
exeadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b)
Allow user exeadmin to run /sbin/halt without any password i.e.
as root without authenticating himself:
exejadmin ALL= NOPASSWD: /sbin/halt
c)
Allow user harvi to run any command from /usr/bin directory on
the system dev02:
harvi dev02 = /usr/bin/*
0 comments:
Post a Comment