calin radoni's humble web presence |
homedocstoolboxabout |
Sudo on SPARC/Solaris 8
Quoting from the sudo 's web page: "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments."
I always use a "playground" directory, from where I install various software. If you do not have one, create it:
# mkdir /playgroudOf course, you can name it as you wish.
Copy the sudo
's source into your playground directory then cd
into that directory.
Unpack the sources:
# gzip -d sudo... # tar -xvf sudo...
Note
As I always recommend, before installing a product, read, at least, the files README
and INSTALL
.
Before starting the installation process check, by reading the INSTALL
file, if you need
to pass special options to the ./configure
command. Then do:
# cd sudo... # ./configure # make # make install
Test the program installation:
# sudo -Vand the man pages installation:
# man sudo # man visudo # man sudoersIf those commands do not work, adjust the PATH and MANPATH environment variables.
sudo
configuration is located by default in the file /etc/sudoers
.
This file MUST be edited with visudo
. The visudo
editor
is similar to the vi
and is installed by the sudo
installation.
For you reference, in the sudo
's source is a sample sudoers
file
named sample.sudoers
.
Warning
Allowing an user to run the sudo
command, as root, will allow him to run
commands like "sudo sudo /bin/sh" which will give him a root shell !
The best procedure is to read the man page for sudoers
and the sample.sudoers
file.
Scenario: I have two database administrators and I must allow them to execute some database maintenance commands as root, without giving them the root password.
Create a group for the database administrators:
# groupadd dbadmins
For each database administrator, let's name them joe and mike, I am creating the users:
# useradd -d /export/home/joe -g users -G dbadmins -s /usr/bin/bash -m joe # useradd -d /export/home/mike -g users -G dbadmins -s /usr/bin/bash -m mikeThose commands creates the user joe and mike with the following properties:
Group every database administration script in a single place, let's say /scripts/database and set the permissions accordingly:
# chown -R root:dbadmins /scripts/database # chmod -R 740 /scripts/databaseallowing the members of dbadmins group to read the scripts there. Executing permissions are only granted to the user root.
Edit the sudoers
file by launching visudo
.
Create a command alias by inserting the following sentence after this line
"# Cmnd alias specification":
Cmnd_Alias DBCOMMANDS = /scripts/database/start, /scripts/database/stop, \ /scripts/database/backup
Note
Between "Cmnd_Alias" and "DBCOMMANDS" is a TAB character.
%dbadmins ALL=DBCOMMANDSbellow the root privilege specification "root ALL=(ALL) ALL".
Note
Between "%dbadmins" and "DBCOMMANDS" is a TAB character.
This is just an example. There are many ways to configure sudo
to perform
this task:
sudoers
's man page and
the file sample.sudoers
.
This document is copyrighted (c) 2005 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.