FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Docs

 
 
LinkBack Thread Tools
 
Old 04-17-2008, 07:54 PM
Ned Slider
 
Default becoming root

Rafał Ślubowski wrote:

2008/4/8, Ned Slider <nedslider@f2s.com>:

Rafał Ślubowski wrote:

I've mentioned consolehelper just because I think I can write such
section. Of course it should be proofreaded because of my English.

Brilliant. I'm more than happy to proof read if you would be so kind as to
write something


I wrote it. Please, feel free to correct my errors.

Regards,
Rafal



Brilliant - thanks Rafal.

I'll take a look over the weekend.

For everyone else, the link is here:

http://wiki.centos.org/TipsAndTricks/BecomingRoot

We still need a *volunteer* to write something on sudo (and gnome gui if
anything exists??). Better to volunteer now before I start twisting arms


Regards,

Ned
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-17-2008, 11:28 PM
Ned Slider
 
Default becoming root

Rafał Ślubowski wrote:

2008/4/8, Ned Slider <nedslider@f2s.com>:

Rafał Ślubowski wrote:

I've mentioned consolehelper just because I think I can write such
section. Of course it should be proofreaded because of my English.

Brilliant. I'm more than happy to proof read if you would be so kind as to
write something


I wrote it. Please, feel free to correct my errors.



Rafal,

I've had a look and made a few small changes - hope I've not changed the
meaning of anything you've written.


Thanks again,

Ned
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 02:36 PM
"Akemi Yagi"
 
Default becoming root

On Thu, Apr 17, 2008 at 12:54 PM, Ned Slider <nedslider@pendre.co.uk> wrote:
>
> For everyone else, the link is here:
>
> http://wiki.centos.org/TipsAndTricks/BecomingRoot
>
> We still need a *volunteer* to write something on sudo (and gnome gui if
> anything exists??). Better to volunteer now before I start twisting arms

> Ned

IF there is no volunteer, I would offer to write the sudo section.
Anyone? Speak up?

Akemi
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 03:03 PM
"Alan Bartlett"
 
Default becoming root

On 18/04/2008, Akemi Yagi <amyagi@gmail.com> wrote:
On Thu, Apr 17, 2008 at 12:54 PM, Ned Slider <nedslider@pendre.co.uk> wrote:
>
>**For everyone else, the link is here:
>
>**http://wiki.centos.org/TipsAndTricks/BecomingRoot

>
>**We still need a *volunteer* to write something on sudo (and gnome gui if
> anything exists??). Better to volunteer now before I start twisting arms

IF there is no volunteer, I would offer to write the sudo section.

Anyone?**Speak up?
Those who really know me, know my active writing days are almost non-existent and also know the reason why. However I'll be happy to read and check it - once written by A.N.Other. :-D


Alan.

_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 03:10 PM
Nils Ratusznik
 
Default becoming root

Akemi Yagi wrote :

IF there is no volunteer, I would offer to write the sudo section.
Anyone? Speak up?

I just started to write something, in 2 parts : a "quick and dirty"
setup, and a more detailled one.
The first part is written, I'm writing the second part at this time, I
hope I'll submit is soon.


Sorry, I forgot to send a mail !

Regards,

Nils
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 03:13 PM
"Akemi Yagi"
 
Default becoming root

On Fri, Apr 18, 2008 at 8:10 AM, Nils Ratusznik
<nils.ratusznik@gruik.net> wrote:
> Akemi Yagi wrote :
>
> IF there is no volunteer, I would offer to write the sudo section.
> > Anyone? Speak up?
> >
> I just started to write something, in 2 parts : a "quick and dirty" setup,
> and a more detailled one.
> The first part is written, I'm writing the second part at this time, I hope
> I'll submit is soon.
>
> Sorry, I forgot to send a mail !
>
> Regards,
>
> Nils

Excellent! Guess Alan can polish it up if needed :-D

Akemi
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 04:40 PM
Nils Ratusznik
 
Default becoming root

Akemi Yagi a crit :

Excellent! Guess Alan can polish it up if needed :-D

Akemi

Your help is also welcome

Here is what I wrote. I wrote it without wiki syntax so someone will
surely polish it up.


Regards,

Nils
You don't need to be root everytime you want to run some specific administrative tasks.
Thanks to sudo, you can run some or every command as root.

Once sudo is installed (package name : sudo), you can configure it by running visudo as root. Basically, it runs vi on /etc/sudoers, but it is not recommended to do it manually.

If you are on a desktop computer, you will want to be able to do almost everything. So, the quick and dirty way to use sudo would be to add at the end of the sudoers file :

bob ALL=(ALL) ALL

where bob is the name of the user. Save (press escape, then type ZZ), and you are ready to go. Log in as bob, and run for example :

$sudo yum update

sudo will ask for a password. This password is bob's password, and not root's password, so be careful when you give rights to a user with sudo.


But sudo can do more. We can allow an user or a group of users to run only one command, or a group of commands. Let's go back to our sudoers file (which is, by the way, well commented on CentOS 5).

Let's start with bob and alice, members of a group named admin. If we want every users of "admin" to be able to run every command as root, we can modify our example :

%admin ALL=(ALL) ALL

bob can still do his stuff, and alice is now allowed to run sudo, with the same rights, with her password.

If bob and alice are not in the same group, we can define a user alias in the sudoers file :

User_Alias ADMINS = alice, bob

here we define an alias named ADMINS, with alice and bob as members.

However, we don't want alice and bob to run every command as root, we want them to run only updatedb. Let's define a command alias :

Cmnd_Alias LOCATE = /usr/sbin/updatedb

But it's not enough ! We need to tell sudo the users defined in ADMINS can run the commands defined in LOCATE. To do this, we replace the line with "%admin" with this line :

ADMINS ALL = LOCATE

it means that users of alias ADMINS can run ALL the commands in the LOCATE alias.

At this time, /etc/sudoers looks like this :

User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
ADMINS ALL = LOCATE

alice and bob should be able to run updatedb as root, by giving their password. If we replace the last line of the file with :

ADMINS ALL = NOPASSWD: LOCATE

alice and bob can run "sudo updatedb" without entering a password. It is possible to add more commands in a command alias and more aliases in the rule.
For example, we can create an alias named NETWORKING containing some networking commands like ifconfig, route or iwconfig :

Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

Let's add this to our /etc/sudoers file (with visudo !), and give it access to our ADMINS group of users, the /etc/sudoers now looks like this :

User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
ADMINS ALL = LOCATE, NETWORKING

A little try : log in as alice (or bob), and type :

$ping -c 10 -i 0 localhost

the answer should come quickly :

PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms

Now, let's sudo it :
$sudo ping -c 10 -i 0 localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.021 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.030 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=5 ttl=64 time=0.017 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=6 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=7 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=8 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=9 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=10 ttl=64 time=0.016 ms

--- localhost.localdomain ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 0.016/0.023/0.049/0.010 ms, ipg/ewma 0.187/0.028 ms

That's it. Now never forget, when using sudo : "with great power comes great responsibility".
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 05:58 PM
Ned Slider
 
Default becoming root

Nils Ratusznik wrote:

Akemi Yagi a crit :

Excellent! Guess Alan can polish it up if needed :-D

Akemi

Your help is also welcome

Here is what I wrote. I wrote it without wiki syntax so someone will
surely polish it up.


Regards,

Nils



Thanks Nils

I'm happy to get it on to the Wiki, just that I'm not an "sudoer" so am
unable to adjudge the content technically correct. If someone else can
take part of that aspect, we'll have ourselves a real team (community)
effort.


Regards,

Ned

_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 06:27 PM
"Akemi Yagi"
 
Default becoming root

On Fri, Apr 18, 2008 at 10:58 AM, Ned Slider <nedslider@pendre.co.uk> wrote:
>
> Nils Ratusznik wrote:
>
> > Akemi Yagi a crit :
> >
> > > Excellent! Guess Alan can polish it up if needed :-D
> > > Akemi
> > >
> > Your help is also welcome
> >
> > Here is what I wrote. I wrote it without wiki syntax so someone will
> surely polish it up.
> >
> > Regards,
> >
> > Nils
> >

> Thanks Nils
>
> I'm happy to get it on to the Wiki, just that I'm not an "sudoer" so am
> unable to adjudge the content technically correct. If someone else can take
> part of that aspect, we'll have ourselves a real team (community) effort.
>
> Regards,
>
> Ned

Looking good to me. One thing that may be worth mentioning is that
all sudo commands are logged in /var/log/secure. In the above
example, it will look like:

Apr 18 11:23:17 localhost sudo: bob : TTY=pts/0 ; PWD=/home/bob ;
USER=root ; COMMAND=/bin/ping -c 10 -i 0 localhost

I think this is a nice feature. Commands executed by real root are
not logged except in root's .history file, if I'm not mistaken.

Akemi
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 
Old 04-18-2008, 07:09 PM
Manuel Wolfshant
 
Default becoming root

On 04/18/2008 09:27 PM, Akemi Yagi wrote:

Looking good to me. One thing that may be worth mentioning is that
all sudo commands are logged in /var/log/secure. In the above
example, it will look like:

Apr 18 11:23:17 localhost sudo: bob : TTY=pts/0 ; PWD=/home/bob ;
USER=root ; COMMAND=/bin/ping -c 10 -i 0 localhost

I think this is a nice feature. Commands executed by real root are
not logged except in root's .history file, if I'm not mistaken.


you are not mistaken

should I mention that my /etc/sudoers ends for quite sometime with:
wolfy ALL=(ALL) NOPASSWD: ALL
? neah, guess not
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
 

Thread Tools




All times are GMT. The time now is 05:10 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org