Sudo is a standard way to give users some administrative rights without giving out the root password. Sudo is very useful in a multi user environment with a mix of server and workstations. Simply call the command with sudo:
# sudo /etc/init.d/dhcpd restart # Run the rc script as root
# sudo -u sysadmin whoami # Run cmd as an other user
Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is (the lists are comma separated):
user hosts = (runas) commands # In /etc/sudoers
users one or more users or %group (like %wheel) to gain the rights
hosts list of hosts (or ALL)
runas list of users (or ALL) that the rule can be run as and enclosed in ( )!
commands list of commands (or ALL) that will be run as root or as (runas)
Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias.
# cat /etc/sudoers
# Host aliases are subnets or hostnames.
Host_Alias DMZ = 212.118.81.40/28
Host_Alias DESKTOP = work1, work2
# User aliases are a list of users which can have the same rights
User_Alias ADMINS = colin, luca, admin
User_Alias DEVEL = joe, jack, julia
Runas_Alias DBA = oracle,pgsql
# Command aliases define the full path of a list of commands
# The actual rules
root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a password.
DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops
DEVEL DMZ =(ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers.
# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ.
%dba ALL = (DBA) ALL # Group dba can run as database user
# anyone can mount/unmount a cd-rom on the desktop machines
ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom
# sudo /etc/init.d/dhcpd restart # Run the rc script as root
# sudo -u sysadmin whoami # Run cmd as an other user
Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is (the lists are comma separated):
user hosts = (runas) commands # In /etc/sudoers
users one or more users or %group (like %wheel) to gain the rights
hosts list of hosts (or ALL)
runas list of users (or ALL) that the rule can be run as and enclosed in ( )!
commands list of commands (or ALL) that will be run as root or as (runas)
Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias.
# cat /etc/sudoers
# Host aliases are subnets or hostnames.
Host_Alias DMZ = 212.118.81.40/28
Host_Alias DESKTOP = work1, work2
# User aliases are a list of users which can have the same rights
User_Alias ADMINS = colin, luca, admin
User_Alias DEVEL = joe, jack, julia
Runas_Alias DBA = oracle,pgsql
# Command aliases define the full path of a list of commands
Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/
Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
# The actual rules
root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a password.
DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops
DEVEL DMZ =(ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers.
# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ.
%dba ALL = (DBA) ALL # Group dba can run as database user
# anyone can mount/unmount a cd-rom on the desktop machines
ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom
Terima kasih telah membaca artikel tentang How to enable sudo for normmal users di blog Tutorial Opensource and Linux jika anda ingin menyebar luaskan artikel ini di mohon untuk mencantumkan link sebagai Sumbernya, dan bila artikel ini bermanfaat silakan bookmark halaman ini di web browser anda, dengan cara menekan Ctrl + D pada tombol keyboard anda.
