What is Sudo?
sudo is a setuid root wrapper that implements fine-grained access control for commands that need to be run as root. It takes the command you want to run and compares it to its internal list of permissions. If sudo's permissions allow that particular user to run that command, sudo runs that command for you, with its privileges. As root can run commands as any user, sudo can execute commands as any arbitrary system user.Get Sudo software from Link : Sudo Link and install.
sudo has three pieces.
- The first is the actual sudo(8) command, the setuid root wrapper that users will actually use.
- There's also sudo's configuration file, /etc/sudoers. This file is sudo's permissions table, saying who may run what commands as which user, and is fully documented in sudoers(5).
- Finally, the visudo(8) command allows administrators to edit the sudoers file without risking locking themselves out of the system. We'll consider each component in turn: visudo, the sudoers file, and sudo itself.
The sudo permissions syntax can be confusing until you understand it. Getting everything correct can be difficult the first time. Once you understand how sudo sets things up, however, it's very quick and easy.
The various sample sudoers files you'll find on the Internet frequently look quite complicated and difficult to understand, as they demonstrate
username host = command
The username is the username of the user who may execute the command.host is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
The command field lists the commands this rule applies to. You must have a full path to each command name, or sudo will not recognize it! (You wouldn't want people to be able to adjust their $PATH variable to access renamed versions of commands, now would you?)
sudo defaults to not allowing anything to happen. To let a user run a command, you must create a rule that gives that user permission on that host to run that command. If any of the three fields don't match, the user cannot run the command.
Steps for implementation
1. Download the source code:The source of sudo is available from http://www.courtesan.com/sudo/. At the time of writing, the latest version is V1.6.3 and the source code is provided as a compressed tar archive in the file sudo-1.6.3.tar.gz . Download this file to a temporary directory, such as /tmp.
2. Prepare the source code for compilation:
Log in as root, make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example:
- mkdir -p /opt/source/sudo
- cd /opt/source/sudo
- cp /tmp/sudo-1.6.3.tar.gz .
- gunzip sudo
- tar xvf sudo
- cd sudo-1.6.3
3. Compile the source code and install sudo:
Configure the compilation process for your system:
- ./configure
- make
- make install
4. Modify the search path:
If you haven't already done so for other software, you now need to modify the search paths so that the system can find the sudo program and its manual pages. If you're running the CDE windowing system, this is done by editing the file /.dtprofile and adding the following lines (if they aren't already there) to the end of this file:
PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/ccs/bin MANPATH=$MANPATH:/usr/man/:/usr/local/man
It's advisable to log out and log in again at this point to activate these changes. Make sure that the system can find the sudo program:
- sudo -V
- man sudo
- man visudo
- man sudoers
5. Configure sudo:
sudo is controlled by its configuration file /etc/sudoers. The program has a
rich selection of configuration options and you may like to read the man page
for sudoers and examine the sample configuration file which you'll find in
sample.sudoers in the source code directory.
The instructions below describe how to create an sudoers file which allows
any user to run the /dialup and /hangup scripts defined in Configuring PPP on
Solaris to connect to an ISP and allows a particular user to run any command as
root.
One potential difficulty is that the /etc/sudoers file must be edited using
the visudo program and not directly in your editor of choice. visudo uses the
"vi" editor and this means that you need at least a basic understanding of how
to use this editor. If you aren't already familiar with vi, you'll have to learn
it sooner or later so now's a good time to start! But don't worry if you've
never used it before - I'll include enough instruction here to enable you to
edit the short file created by the installation process and append a couple of
lines to it.
To edit /etc/sudoers, make sure you're logged in as root and type:
- /usr/local/sbin/visudo
This starts the vi editor and displays the initial /etc/sudoers file. vi uses
what appear at first sight to be commands that aren't exactly intuitive. If
you're not familiar with vi, type the following exactly as it appears and note
that commands in vi are case sensitive. So don't type a lower-case "g" when the
instructions show an upper-case "G".
Move the cursor to the end of the file by typing an upper-case G:
G
and open a new line just beyond the last line in the file by typing a lower-case o:
o
vi is now in "edit" mode and anything you type is inserted into the file. If you want everyone (all users) to be able to run the /hangup and /dialup scripts, type the following:
ALL ALL=/dialup,/hangup
with a TAB character after the first "ALL". That line tells sudo that all users are allowed to execute the scripts /hangup and /dialup as if they were root.
If you want to give just one user, say jim, the ability to run the scripts, type the following instead:
ram ALL=/dialup,/hangup
You may like to add another line telling sudo that your own personal user is allowed to do anything as root. Press the ENTER key and, if your own personal user is mike, you'd type:
surya ALL=(root) ALL
again with a TAB character after "surya".
Finally, switch vi back into command mode by pressing the ESCAPE key and exit vi by typing:
- wq
- q!
6. Using sudo:
sudo is simple to use. To execute a command with root privilege, type:
$ sudo name-of-command
If this is the first time you've used sudo since logging in, sudo will ask for your password. The password required at this point is the user's own password, not the root password. So, if you've logged in as user jane and she wants to start a dialup connection to her ISP, she would type:
- sudo /dialup
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
- Respect the privacy of others.
- Think before you type.
Tina would then type her password and sudo will run the /dialup script for her with root privilege. If further commands are executed using sudo within 5 minutes, it will not ask for a password again.
But if Jane were to try and execute a command without having the necessary permission (as defined in the /etc/sudoers file), sudo will refuse to run it:
$ sudo vi /etc/passwd
Sorry, user tina is not allowed to execute "/usr/bin/vi /etc/passwd" as root on sunbeam.
In this example, sunbeam is the name of the machine.
If you'd prefer not to have to type a password at all, replace the two lines in /etc/sudoers with:
ALL NOPASSWD: ALL=/dialup,/hangup surya ALL=(root) NOPASSWD: ALL
0 blogger-disqus:
Post a Comment