Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin
See what access is allowed with "sudo -l".
The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).
## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.
# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com
# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane
# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom
# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su
Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now
# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Default:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
# global defaults - log to a specific file.
Defaults logfile=/var/log/sudo.log, log_year# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
# user/%group hostname = (user) command
# by default, root can do all commands as all users
root ALL=(ALL) ALL
# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)
jake,jim LOCAL = NOPASSWD: /sbin/service crond restart
# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.
MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT
# members of the group "wheel" can run, on all hosts, all commands as all users
%wheel ALL=(ALL) ALL
3 comments:
I just ran across this post and wanted to point out that the example you found at http://www.gratisoft.us/sudo/sample.sudoers is exactly the same as the official sudoers example file http://www.sudo.ws/sudo/sample.sudoers.
Maybe you explain your problems with it to the sudo maintainers?
If the goal is "least privilege", then we would only grant privileges to execute specific tasks; we would never grant "everything *but*".
If we grant "everything *but*", then whatever we don't want the user to do, the user can copy that forbidden item to a new file or some such, and then execute it.
I guess the ! could keep honest people honest, but will not stop any attempt to circumvent the limitations.
Hi,
from the manpage is see something like this:
SECURITY NOTES
It is generally not effective to ``subtract'' commands from ALL
using the '!' operator...
For me sudo is for limiting internal users. So I use "!/path/to/bla" as well. In case of an unwanted user action, everything is logged and that helps much :-)
Regards, tcpdump
Post a Comment