Nov
16
Posted on 16-11-2006
Filed Under (Linux commands) by Arun Bagul

1] Introduction:

root is super user with unrestricted access to all system resources and files in Linux OS. The uid and gid of root user is 0 (zero). But many time the system/Linux admin wants to give some restricted access to some user or groups of user. In such case the sudo is the best technique to do this….

sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands. Normally they would not able to do it, due to file permission restrictions. The commands can be run as user “root” or as any other user defined in the /etc/sudoers configuration file.

All commands run as sudo are logged in the log file /var/log/messages.

2] Sudo configuration file/etc/sudoers

/etc/sudoers file contains all the configuration and permission parameters needed for sudo to work. There are a number of guidelines that need to be followed when editing it with visudo.

Format of sudo file is as below…

user_names/group_name servername = (usernames command can be run as) command

3] How to open sudo file.. /etc/sudoers

Always use visudo command to open /etc/sudoers file

root@indiangnu.org:~# visudo

4] How to permit few user to start/restart/stop apache server.

* open sudore file by using above command

# access to Apache2 and MySQL to webgroup group with out password

%webgroup ALL= NOPASSWD: /etc/init.d/apache2

%webgroup ALL= NOPASSWD: /etc/init.d/mysql restart

web ALL= NOPASSWD: /etc/init.d/apache2

* In above example the users in group webgroup can only restart MySQL, they can’t stop or start MySQL service.

# access to Apache2 with password to user webuser

webuser ALL= /etc/init.d/apache2

# Members of the myroot group may gain root privileges

%myroot ALL=(ALL) ALL

4] How to use sudo

web@indiangnu.org:~$ sudo /etc/init.d/apache2 restart
* Forcing reload of apache 2.0 web server… [ ok ]
web@indiangnu.org:~$

** Here in below example the webuser need to enter his password to very that ‘webuser’ is authentic user.

webuser@indiangnu.org:~$ sudo /etc/init.d/apache2 restart
Password:
* Forcing reload of apache 2.0 web server… [ ok ]
webuser@indiangnu.org:~$

Similar Posts:

Be Sociable, Share!
(6) Comments    Read More   

Comments

santosh on 14 March, 2008 at 11:37 am #

can we have a script to determine the name of the users who have sudo access to root.??


Arun Bagul on 3 April, 2008 at 6:47 pm #

Hi!! Santosh,

I am sorry for late response…

you can use below script to find out which user and group has sudo root privileges…

———————–

#!/bin/bash

count=$(cat /etc/sudoers | grep “ALL” | grep -v ^# | wc -l)
for i in $(seq 1 $count)
do
line=$(cat /etc/sudoers | grep “ALL” | grep -v ^# | head -n $i | tail -n 1 | tr “=()” ” “)
cnt=$(echo $line | sed -e ‘s/[^ALL]/ /g’ | wc -w)
if [ $cnt -eq 3 ]; then
myuser=$(echo $line | awk -F’ ‘ ‘{print $1}’)
mygroup=$(echo $myuser | grep ^%)
if [ -z “$mygroup” ]; then
User=”$User $myuser”
else
Group=”$Group $(echo $mygroup | tr “%” ” “)”
fi
fi
done
echo “Users with sudo ‘root’ privileges are => $User”
echo “Groups with sudo ‘root’ privileges are => $Group”

———–


Ravi on 4 April, 2008 at 9:47 am #

great arun nice script to find sudo users
thanks


Ravi on 4 April, 2008 at 10:47 am #

hi Arun,
there are many errors when I execute this
script can you please send me the attachment on my email & also send it to santosh.
Thanks
Ravi


santosh on 4 April, 2008 at 2:42 pm #

getting the errors.
root@test tmp]# sh test.sh
test.sh: line 20: unexpected EOF while looking for matching `”‘
test.sh: line 21: syntax error: unexpected end of file


Arun Bagul on 6 April, 2008 at 10:00 am #

Hi!! All,

please check you mail.. Actually there is no error in script. The problem is char support in wp-blog


Post a Comment
Name:
Email:
Website:
Comments:


www.flickr.com
arunbagul's photos More of arunbagul's photos
Get Adobe Flash player
-->