# Define aliases for machines in CS & Physics departments. Host_Alias CS = tigger, anchor, piper, moer, sigi Host_Alias PHYSICS = eprince, pprince, icarus # Define collections of commands. Cmnd_Alias DUMP = /sbin/dump, /sbin/restore Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh, /bin/bash, /bin/ash, /bin/bsh # Permissions. mark,ed PHYSICS = ALL herb CS = /usr/sbin/tcpdump: PHYSICS = (operator)DUMP lynda ALL = (ALL)ALL, !SHELLS %wheel ALL, !PHYSICS = NOPASSWD: PRINTING
The first 5 non-commented lines define the aliases of the host group and the command group for use when defining permissions (the Permissions section). The information included in the permission description of each line is as follows (the built-in command ALL of sudo means to allow all):
* The user to which this line applies.
* The host to which this row applies.
* The user that can execute commands as (in parentheses, which by default means root).
* Specifies the command that the user can run (preferably written as an absolute path).
The first line of permission description applies to users mark and ed on machines in the PHYSICS group, and can execute all commands, but only as root.
The second line of permission description allows the user herb to run the tcpdump command as root on the CS group machine, and also to run the DUMP group command on the PHYSICS group machine, but only as the operator user. At this time, the actual command entered by the user herb Similar to the following:
$ sudo -u operator /sbin/dump 0u /dev/hda2
The third line shows that user lynda can run all commands except SHELL group on any machine as any user, but it should be noted that although it cannot be directly Execute the commands of the SHELL group, but can be executed indirectly in other ways, such as the following way:
$ cp -p /bin/bash /tmp/bash
$ sudo /tmp/bash
In general, any setting "except... Commands other than .
The last line indicates that users in the wheel group can run the PRINTING group commands on machines other than the PHYSICS group, and these running commands do not require any password (NOPASSWD).