1 / 13

Sudo

Sudo. Yi-Hsiang Lin yslin@cis.nctu.edu.tw 2002/5/21 @ CISCC. OUTLINE. Introduction Related files of command “sudo” The options of command “sudo” Examples of command “sudo” The file formats of “sudoers” grammar, aliases Examples of file “sudoers” entries. Introduction.

nolcha
Télécharger la présentation

Sudo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sudo Yi-Hsiang Lin yslin@cis.nctu.edu.tw 2002/5/21 @ CISCC

  2. OUTLINE • Introduction • Related files of command “sudo” • The options of command “sudo” • Examples of command “sudo” • The file formats of “sudoers”grammar, aliases • Examples of file “sudoers” entries

  3. Introduction • Sudo allows a permitted user to execute a command as the superuser or another user • Sudo use user’s password • When authenticated, a timestamp is used. User can use sudo without a password for 5 minutes • log both successful and unsuccessful

  4. Related files of sudo • sudo : under /usr/bin or /usr/local/bin- execute a command as another user • sudoers: under /etc or /usr/local/etc- list of which users may execute what • visudo: under /usr/sbin or /usr/local/sbin- edit the sudoers file • /var/run/sudo:Directory containing timestamps

  5. The options of sudo(1/2) • -V: Version • -l: list allowed commands • -L: list defaults – Defaults parameters • -h: help • -v: validate – update timestamp • -k: kill – invalidate timestamp • -K: sure kill – remove timestamp entirely

  6. The options of sudo(2/2) • -b: background • -p: prompt – override the default prompt • -c: class • -a: authentication • -u: user – username or #uid • -s: shell • -H: HOME • -S: stdin

  7. Examples of sudo • Listing of an unreadable directory% sudo ls /usr/local/protected • List home dir. of ~zjm which is not exported as root:% sudo -u zjm ls ~zjm • Edit the index.html file as user www% sudo -u www vi ~www/htdocs/index.html • Shutdown a machine% sudo shutdown -r +15 "quick reboot“ • runs the commands in a subshell to make the cd and file redirection work% sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"

  8. The file formats of “sudoers” – grammar • GRAMMAR:Use Extended Backus-Naur Form (EBNF) symbol ::= definition | alternate1 | alternate2 ...? : Means that the preceding symbol is optional. It may appear once or not at all* : Means that the preceding symbol may appear zero or more times.+ : Means that the preceding symbol may appear one or more times.

  9. The file formats of “sudoers” – aliases • four kinds of aliases:User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. • Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |'Runas_Alias' = Runas_Alias (':' Runas_Alias)* |'Host_Alias' = Host_Alias (':' Host_Alias)* |'Cmnd_Alias' = Cmnd_Alias (':' Cmnd_Alias)* • User_Alias ::= NAME '=' User_List • NAME ::= [A-Z]([A-Z][0-9]_)* • Please man sudoers for details

  10. Examples of file “sudoers” entries(1) # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias WEBMASTERS = will, wendy, wim # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, \ 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules

  11. Examples of file “sudoers” entries(2) # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, \ /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su

  12. Examples of file “sudoers” entries(3) # Override built in defaults Defaults syslog=auth Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log root ALL = (ALL) ALL %wheel ALL = (ALL) ALL FULLTIMERS ALL = NOPASSWD: ALL PARTTIMERS ALL = ALL jack CSNETS = ALL lisa CUNETS = ALL operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT, /usr/oper/bin/

  13. Examples of file “sudoers” entries(4) joe ALL = /usr/bin/su operator pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root bob SPARC = (OP) ALL : SGI = (OP) ALL jim +biglab = ALL +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser fred ALL = (DB) NOPASSWD: ALL john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* jen ALL, !SERVERS = ALL jill SERVERS = /usr/bin/, !SU, !SHELLS steve CSNETS = (operator) /usr/local/op_commands/ matt valkyrie = KILL WEBMASTERS www = (www) ALL, (root) /usr/bin/su www ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM bill ALL = ALL, !SU, !SHELLS

More Related