Sudo
Download
1 / 13

Sudo - PowerPoint PPT Presentation


  • 150 Views
  • Uploaded on

Sudo. Yi-Hsiang Lin [email protected] 2002/5/21 @ CISCC. OUTLINE. Introduction Related files of command “sudo” The options of command “sudo” Examples of command “sudo” The file formats of “sudoers” grammar, aliases Examples of file “sudoers” entries. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Sudo' - nolcha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Sudo

Yi-Hsiang Lin

[email protected]

2002/5/21 @ CISCC


Outline
OUTLINE

  • Introduction

  • Related files of command “sudo”

  • The options of command “sudo”

  • Examples of command “sudo”

  • The file formats of “sudoers”grammar, aliases

  • Examples of file “sudoers” entries


Introduction
Introduction

  • Sudo allows a permitted user to execute a command as the superuser or another user

  • Sudo use user’s password

  • When authenticated, a timestamp is used. User can use sudo without a password for 5 minutes

  • log both successful and unsuccessful


Related files of sudo
Related files of sudo

  • sudo : under /usr/bin or /usr/local/bin- execute a command as another user

  • sudoers: under /etc or /usr/local/etc- list of which users may execute what

  • visudo: under /usr/sbin or /usr/local/sbin- edit the sudoers file

  • /var/run/sudo:Directory containing timestamps


The options of sudo 1 2
The options of sudo(1/2)

  • -V: Version

  • -l: list allowed commands

  • -L: list defaults – Defaults parameters

  • -h: help

  • -v: validate – update timestamp

  • -k: kill – invalidate timestamp

  • -K: sure kill – remove timestamp entirely


The options of sudo 2 2
The options of sudo(2/2)

  • -b: background

  • -p: prompt – override the default prompt

  • -c: class

  • -a: authentication

  • -u: user – username or #uid

  • -s: shell

  • -H: HOME

  • -S: stdin


Examples of sudo
Examples of sudo

  • Listing of an unreadable directory% sudo ls /usr/local/protected

  • List home dir. of ~zjm which is not exported as root:% sudo -u zjm ls ~zjm

  • Edit the index.html file as user www% sudo -u www vi ~www/htdocs/index.html

  • Shutdown a machine% sudo shutdown -r +15 "quick reboot“

  • runs the commands in a subshell to make the cd and file redirection work% sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"


The file formats of sudoers grammar
The file formats of “sudoers” – grammar

  • GRAMMAR:Use Extended Backus-Naur Form (EBNF) symbol ::= definition | alternate1 | alternate2 ...? : Means that the preceding symbol is optional. It may appear once or not at all* : Means that the preceding symbol may appear zero or more times.+ : Means that the preceding symbol may appear one or more times.


The file formats of sudoers aliases
The file formats of “sudoers” – aliases

  • four kinds of aliases:User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.

  • Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |'Runas_Alias' = Runas_Alias (':' Runas_Alias)* |'Host_Alias' = Host_Alias (':' Host_Alias)* |'Cmnd_Alias' = Cmnd_Alias (':' Cmnd_Alias)*

  • User_Alias ::= NAME '=' User_List

  • NAME ::= [A-Z]([A-Z][0-9]_)*

  • Please man sudoers for details


Examples of file sudoers entries 1
Examples of file “sudoers” entries(1)

# User alias specification

User_Alias FULLTIMERS = millert, mikef, dowdy

User_Alias PARTTIMERS = bostley, jwfox, crawl

User_Alias WEBMASTERS = will, wendy, wim

# Runas alias specification

Runas_Alias OP = root, operator

Runas_Alias DB = oracle, sybase

# Host alias specification

Host_Alias SPARC = bigtime, eclipse, moet, anchor :\

SGI = grolsch, dandelion, black :\

ALPHA = widget, thalamus, foobar :\

HPPA = boa, nag, python

Host_Alias CUNETS = 128.138.0.0/255.255.0.0

Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, \ 128.138.242.0

Host_Alias SERVERS = master, mail, www, ns

Host_Alias CDROM = orion, perseus, hercules


Examples of file sudoers entries 2
Examples of file “sudoers” entries(2)

# Cmnd alias specification

Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, \ /usr/sbin/rdump,\

/usr/sbin/restore, /usr/sbin/rrestore

Cmnd_Alias KILL = /usr/bin/kill

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown

Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt

Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \

/usr/local/bin/tcsh, /usr/bin/rsh, \

/usr/local/bin/zsh

Cmnd_Alias SU = /usr/bin/su


Examples of file sudoers entries 3
Examples of file “sudoers” entries(3)

# Override built in defaults

Defaults syslog=auth

Defaults:FULLTIMERS !lecture

Defaults:millert !authenticate

[email protected] log_year, logfile=/var/log/sudo.log

root ALL = (ALL) ALL

%wheel ALL = (ALL) ALL

FULLTIMERS ALL = NOPASSWD: ALL

PARTTIMERS ALL = ALL

jack CSNETS = ALL

lisa CUNETS = ALL

operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT, /usr/oper/bin/


Examples of file sudoers entries 4
Examples of file “sudoers” entries(4)

joe ALL = /usr/bin/su operator

pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

bob SPARC = (OP) ALL : SGI = (OP) ALL

jim +biglab = ALL

+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

fred ALL = (DB) NOPASSWD: ALL

john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

jen ALL, !SERVERS = ALL

jill SERVERS = /usr/bin/, !SU, !SHELLS

steve CSNETS = (operator) /usr/local/op_commands/

matt valkyrie = KILL

WEBMASTERS www = (www) ALL, (root) /usr/bin/su www

ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\

/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

bill ALL = ALL, !SU, !SHELLS