![]() I do like that Red Hat-based distributions tend to have default configuration files with lots of comments and examples to provide guidance. Hopefully, it won’t be quite so obscure for you by the time we get through. I found it very confusing the first time I encountered it. I have copied the entire sudoers file in Figure 1 from the host on which I am using it in order to deconstruct it for you. This flexibility is key to both the power and the simplicity of using sudo for delegation. It allows these functions to be delegated while protecting the security of the root password.Īs a sysadmin, I can use the /etc/sudoers file to allow users or groups of users access to a single command, defined groups of commands, or all commands. It can allow the sysadmin to delegate authority for managing network functions or specific services to a single person or to a group of trusted users. However, sudo can be used to do so much more. I have done this to delegate authority to run a single program to myself and one other user. I can see who did what and whether they actually entered the command correctly. I find that having the log of each command run by sudo to be helpful in training. This data is logged in /var/log/security. sudo also logs the facts of the access to myprog with the date and time the program was run, the complete command, and the user who ran it. After ruser enters their own password, the program is run. If so, sudo requests that the user enter their own password – not the root password. The sudo program checks the /etc/sudoers file and verifies that ruser is permitted to run myprog. The user then uses the following command to run myprog. First, the user logs in as ruser with their own password. Let’s assume, for example, that I have given regular user, “ruser,” access to my Bash program, myprog, which must be run as root in order to perform part of its functions. It allows me to perform that delegation without compromising the root password and thus maintain a high level of security on the host. The sudo program is a handy tool that allows me as a sysadmin with root access to delegate responsibility for all or a few administrative tasks to other users of the computer as I see fit. This protects the system against accidental damage such as that caused by my own stupidity and intentional damage by a user with malicious intent. Many Linux commands require the user to be root in order to run. So I write scripts to automate those tasks and use sudo to anoint a couple of users to run the scripts. Even when I am present, as the “Lazy SysAdmin,” I like to have others do my work for me. It is not that I cannot run the program myself, but I am not always there for various reasons such as travel and illness. Unfortunately, this organization has only a couple of people besides myself who have any interest in administering our audio and computer systems, which puts me in the position of finding semi-technical people to train to login to the computer we use to perform the transfer and run this little program. My program, wonderful as it is, needs to run as root in order to perform its primary functions. ![]() This nice little program has a few options such as -h to display help, -t for test mode and a couple of others. It also deletes all of the files on the USB drive after verifying that the transfer has taken place correctly. My program does a few other things, like changing the name of the files before they are copied so that they are automatically sorted by date on the web page.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |