calin radoni's humble web presence
docstoolboxabout
calin radoni's humble web presence |
homedocstoolboxabout
|
Sudo on SPARC/Solaris 8
Quoting from the sudo 's web page: "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments."
I always use a "playground" directory, from where I install various software. If you do not have one, create it:
# mkdir /playgroudOf course, you can name it as you wish.
Copy the sudo's source into your playground directory then cd into that directory.
Unpack the sources:
# gzip -d sudo... # tar -xvf sudo...
Note
As I always recommend, before installing a product, read, at least, the files README
and INSTALL.
Before starting the installation process check, by reading the INSTALL file, if you need
to pass special options to the ./configure command. Then do:
# cd sudo... # ./configure # make # make install
Test the program installation:
# sudo -Vand the man pages installation:
# man sudo # man visudo # man sudoersIf those commands do not work, adjust the PATH and MANPATH environment variables.
sudo configuration is located by default in the file /etc/sudoers.
This file MUST be edited with visudo. The visudo editor
is similar to the vi and is installed by the sudo installation.
For you reference, in the sudo's source is a sample sudoers file
named sample.sudoers.
Warning
Allowing an user to run the sudo command, as root, will allow him to run
commands like "sudo sudo /bin/sh" which will give him a root shell !
The best procedure is to read the man page for sudoers and the sample.sudoers file.
Scenario: I have two database administrators and I must allow them to execute some database maintenance commands as root, without giving them the root password.
Create a group for the database administrators:
# groupadd dbadmins
For each database administrator, let's name them joe and mike, I am creating the users:
# useradd -d /export/home/joe -g users -G dbadmins -s /usr/bin/bash -m joe # useradd -d /export/home/mike -g users -G dbadmins -s /usr/bin/bash -m mikeThose commands creates the user joe and mike with the following properties:
Group every database administration script in a single place, let's say /scripts/database and set the permissions accordingly:
# chown -R root:dbadmins /scripts/database # chmod -R 740 /scripts/databaseallowing the members of dbadmins group to read the scripts there. Executing permissions are only granted to the user root.
Edit the sudoers file by launching visudo.
Create a command alias by inserting the following sentence after this line
"# Cmnd alias specification":
Cmnd_Alias DBCOMMANDS = /scripts/database/start, /scripts/database/stop, \ /scripts/database/backup
Note
Between "Cmnd_Alias" and "DBCOMMANDS" is a TAB character.
%dbadmins ALL=DBCOMMANDSbellow the root privilege specification "root ALL=(ALL) ALL".
Note
Between "%dbadmins" and "DBCOMMANDS" is a TAB character.
This is just an example. There are many ways to configure sudo to perform
this task:
sudoers's man page and
the file sample.sudoers.
This document is copyrighted (c) 2005 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
Hosted on http://www.oocities.org/calinradoni Last page modification is 27 June 2005