Overview of the sudo configuration file /etc/sudoers

Others 2022-04-28 04:54:29 views: 0
    The sudo command can be used to execute commands that can only be executed by that user as another user. Sometimes, due to security considerations, the scope of execution of certain commands has to be enforced. In order to restrict a user who executes the sudo command from executing more commands as another user, we can restrict the executor of the command by editing the /etc/sudoers file directly (or indirectly using the visudo command). The following example illustrates the process (imagined as bash code for aesthetics): 
# Define aliases for machines in CS & Physics departments.
Host_Alias CS = tigger, anchor, piper, moer, sigi
Host_Alias PHYSICS = eprince, pprince, icarus

# Define collections of commands.
Cmnd_Alias DUMP = /sbin/dump, /sbin/restore
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh, /bin/bash, /bin/ash, /bin/bsh

# Permissions.
mark,ed  PHYSICS = ALL
herb     CS = /usr/sbin/tcpdump: PHYSICS = (operator)DUMP
lynda    ALL = (ALL)ALL, !SHELLS
%wheel   ALL, !PHYSICS = NOPASSWD: PRINTING

    The first 5 non-commented lines define the aliases of the host group and the command group for use when defining permissions (the Permissions section). The information included in the permission description of each line is as follows (the built-in command ALL of sudo means to allow all):
    * The user to which this line applies.
    * The host to which this row applies.
    * The user that can execute commands as (in parentheses, which by default means root).
    * Specifies the command that the user can run (preferably written as an absolute path).
    The first line of permission description applies to users mark and ed on machines in the PHYSICS group, and can execute all commands, but only as root.
    The second line of permission description allows the user herb to run the tcpdump command as root on the CS group machine, and also to run the DUMP group command on the PHYSICS group machine, but only as the operator user. At this time, the actual command entered by the user herb Similar to the following:
    $ sudo -u operator /sbin/dump 0u /dev/hda2
    The third line shows that user lynda can run all commands except SHELL group on any machine as any user, but it should be noted that although it cannot be directly Execute the commands of the SHELL group, but can be executed indirectly in other ways, such as the following way:
    $ cp -p /bin/bash /tmp/bash
    $ sudo /tmp/bash
    In general, any setting "except... Commands other than .
    The last line indicates that users in the wheel group can run the PRINTING group commands on machines other than the PHYSICS group, and these running commands do not require any password (NOPASSWD).

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326081344&siteId=291194637
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com