1 |
swift 05/08/02 17:59:29 |
2 |
|
3 |
Modified: xml/htdocs/doc/en metadoc.xml |
4 |
Added: xml/htdocs/doc/en sudo-guide.xml |
5 |
Log: |
6 |
Committing sudo(ers) guide |
7 |
|
8 |
Revision Changes Path |
9 |
1.93 +6 -1 xml/htdocs/doc/en/metadoc.xml |
10 |
|
11 |
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/x-cvsweb-markup&cvsroot=gentoo |
12 |
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/plain&cvsroot=gentoo |
13 |
diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml.diff?r1=1.92&r2=1.93&cvsroot=gentoo |
14 |
|
15 |
Index: metadoc.xml |
16 |
=================================================================== |
17 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v |
18 |
retrieving revision 1.92 |
19 |
retrieving revision 1.93 |
20 |
diff -u -r1.92 -r1.93 |
21 |
--- metadoc.xml 1 Aug 2005 15:52:23 -0000 1.92 |
22 |
+++ metadoc.xml 2 Aug 2005 17:59:29 -0000 1.93 |
23 |
@@ -1,5 +1,5 @@ |
24 |
<?xml version='1.0' encoding="UTF-8"?> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.92 2005/08/01 15:52:23 swift Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.93 2005/08/02 17:59:29 swift Exp $ --> |
27 |
<!DOCTYPE metadoc SYSTEM "/dtd/metadoc.dtd"> |
28 |
|
29 |
<metadoc lang="en"> |
30 |
@@ -362,6 +362,7 @@ |
31 |
<file id="apache-troubleshooting">/doc/en/apache-troubleshooting.xml</file> |
32 |
<file id="apache-upgrading">/doc/en/apache-upgrading.xml</file> |
33 |
<file id="apache-developer">/doc/en/apache-developer.xml</file> |
34 |
+ <file id="sudo-guide">/doc/en/sudo-guide.xml</file> |
35 |
</files> |
36 |
<docs> |
37 |
<doc id="name-logo"> |
38 |
@@ -994,5 +995,9 @@ |
39 |
<memberof>gentoodev_docs</memberof> |
40 |
<fileid>apache-developer</fileid> |
41 |
</doc> |
42 |
+ <doc id="sudo-guide"> |
43 |
+ <memberof>sysadmin_general</memberof> |
44 |
+ <fileid>sudo-guide</fileid> |
45 |
+ </doc> |
46 |
</docs> |
47 |
</metadoc> |
48 |
|
49 |
|
50 |
|
51 |
1.1 xml/htdocs/doc/en/sudo-guide.xml |
52 |
|
53 |
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo |
54 |
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo |
55 |
|
56 |
Index: sudo-guide.xml |
57 |
=================================================================== |
58 |
<?xml version='1.0' encoding="UTF-8"?> |
59 |
|
60 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/sudo-guide.xml,v 1.1 2005/08/02 17:59:29 swift Exp $ --> |
61 |
|
62 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
63 |
|
64 |
<guide link="/doc/en/sudo-guide.xml"> |
65 |
<title>Gentoo Sudo(ers) Guide</title> |
66 |
|
67 |
<author title="Author"> |
68 |
<mail link="swift@g.o">Sven Vermeulen</mail> |
69 |
</author> |
70 |
|
71 |
<abstract> |
72 |
When you want some people to perform certain administrative steps on your |
73 |
system without granting them total root access, using sudo is your best option. |
74 |
With sudo you can control who can do what. This guide offers you a small |
75 |
introduction to this wonderful tool. |
76 |
</abstract> |
77 |
|
78 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
79 |
<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
80 |
<license/> |
81 |
|
82 |
<version>1.0</version> |
83 |
<date>2005-08-02</date> |
84 |
|
85 |
<chapter> |
86 |
<title>About Sudo</title> |
87 |
<section> |
88 |
<title>Granting Permissions</title> |
89 |
<body> |
90 |
|
91 |
<p> |
92 |
The <c>app-admin/sudo</c> package allows the system administrator to grant |
93 |
permission to other users to execute one or more applications they would |
94 |
normally have no right to. Unlike using the <e>setuid</e> bit on these |
95 |
applications <c>sudo</c> gives a more fine-grained control on <e>who</e> can |
96 |
execute a certain command and <e>when</e>. |
97 |
</p> |
98 |
|
99 |
<p> |
100 |
With <c>sudo</c> you can make a clear list <e>who</e> can execute a certain |
101 |
application. If you would set the setuid bit, any user would be able to run this |
102 |
application (or any user of a certain group, depending on the permissions used). |
103 |
You can (and probably even should) require the user to provide a password when |
104 |
he wants to execute the application and you can even fine-tune the permissions |
105 |
based on the location where the user is at: if he is logged on from the system |
106 |
itself or through SSH from a remote site. |
107 |
</p> |
108 |
|
109 |
</body> |
110 |
</section> |
111 |
<section> |
112 |
<title>Logging Activity</title> |
113 |
<body> |
114 |
|
115 |
<p> |
116 |
One additional advantage of <c>sudo</c> is that it can log any attempt |
117 |
(successful or not) to run an application. This is very useful if you want to |
118 |
track who made that one fatal mistake that took you 10 hours to fix :) |
119 |
</p> |
120 |
|
121 |
</body> |
122 |
</section> |
123 |
<section> |
124 |
<title>Configuring Sudo</title> |
125 |
<body> |
126 |
|
127 |
<p> |
128 |
The <c>sudo</c> configuration is managed by the <path>/etc/sudoers</path> file. |
129 |
This file should never be edited through <c>nano /etc/sudoers</c> or |
130 |
<c>vim /etc/sudoers</c> or any other editor you might like. When you want |
131 |
to alter this file, you should use <c>visudo</c>. |
132 |
</p> |
133 |
|
134 |
<p> |
135 |
This tool makes sure that no two system administrators are editing this file at |
136 |
the same time, preserves the permissions on the file and performs some syntax |
137 |
checking to make sure you make no fatal mistakes in the file. |
138 |
</p> |
139 |
|
140 |
</body> |
141 |
</section> |
142 |
<section> |
143 |
<title>About this Guide</title> |
144 |
<body> |
145 |
|
146 |
<p> |
147 |
This guide is meant as a quick introduction. The <c>sudo</c> package is a lot |
148 |
more powerful than what is described in this guide. It has special features for |
149 |
editing files as a different user (<c>sudoedit</c>), running from within a |
150 |
script (so it can background, read the password from standard in instead of the |
151 |
keyboard, ...), etc. |
152 |
</p> |
153 |
|
154 |
</body> |
155 |
</section> |
156 |
</chapter> |
157 |
|
158 |
<chapter> |
159 |
<title>Sudoers Syntax</title> |
160 |
<section> |
161 |
<title>Basic Syntax</title> |
162 |
<body> |
163 |
|
164 |
<p> |
165 |
The most difficult part of <c>sudo</c> is the <path>/etc/sudoers</path> syntax. |
166 |
The basic syntax is like so: |
167 |
</p> |
168 |
|
169 |
<pre caption="Basic /etc/sudoers syntax"> |
170 |
user host = commands |
171 |
</pre> |
172 |
|
173 |
<p> |
174 |
This syntax tells <c>sudo</c> that the user, identified by <e>user</e> and |
175 |
logged on through the system <e>host</e> can execute any of the commands listed |
176 |
in <e>commands</e> as the root user. A more real-life example might make this |
177 |
more clear: allow the user <e>swift</e> to execute <c>emerge</c> if he is logged |
178 |
on from the system (not through SSH): |
179 |
</p> |
180 |
|
181 |
<pre caption="Live /etc/sudoers examples"> |
182 |
swift localhost = /usr/bin/emerge |
183 |
</pre> |
184 |
|
185 |
<p> |
186 |
The user name can also be substituted with a group name - in this case you should |
187 |
start the group name with a <c>%</c> sign. For instance, to allow any one in |
188 |
the <c>wheel</c> group to execute <c>emerge</c>: |
189 |
</p> |
190 |
|
191 |
<pre caption="Allowing the wheel group members to execute emerge"> |
192 |
%wheel localhost = /usr/bin/emerge |
193 |
</pre> |
194 |
|
195 |
<p> |
196 |
You can extend the line to allow for several commands (instead of making a |
197 |
single entry for each command). For instance, to allow the same user to not only |
198 |
run <c>emerge</c> but also <c>ebuild</c> and <c>emerge-webrsync</c> as root: |
199 |
</p> |
200 |
|
201 |
<pre caption="Multiple commands"> |
202 |
swift localhost = /usr/bin/emerge, /usr/bin/ebuild, /usr/sbin/emerge-webrsync |
203 |
</pre> |
204 |
|
205 |
<p> |
206 |
You can also specify a precise command and not only the tool itself. This is |
207 |
useful to restrict the use of a certain tool to a specified set of command |
208 |
options. The <c>sudo</c> tool allows for regular expressions to be used as well. |
209 |
</p> |
210 |
|
211 |
<p> |
212 |
Let us put this to the test: |
213 |
</p> |
214 |
|
215 |
<pre caption="Attempt to update the system using sudo"> |
216 |
$ <i>sudo emerge -uDN world</i> |
217 |
|
218 |
We trust you have received the usual lecture from the local System |
219 |
Administrator. It usually boils down to these three things: |
220 |
|
221 |
#1) Respect the privacy of others. |
222 |
#2) Think before you type. |
223 |
#3) With great power comes great responsibility. |
224 |
|
225 |
Password: <comment>(Enter the user password, not root!)</comment> |
226 |
</pre> |
227 |
|
228 |
<p> |
229 |
The password that <c>sudo</c> requires is the user his own password. This is to |
230 |
make sure that no terminal that you accidentally left open to others is abused |
231 |
for malicious purposes. |
232 |
</p> |
233 |
|
234 |
<p> |
235 |
You should know that <c>sudo</c> does not alter the <c>${PATH}</c> variable: any |
236 |
command you place after <c>sudo</c> is treated from <e>your</e> environment. If |
237 |
you want the user to run a tool in for instance <path>/sbin</path> he should |
238 |
provide the full path to <c>sudo</c>, like so: |
239 |
</p> |
240 |
|
241 |
<pre caption="Using the full path to a tool"> |
242 |
$ <i>sudo /usr/sbin/emerge-webrsync</i> |
243 |
</pre> |
244 |
|
245 |
</body> |
246 |
</section> |
247 |
<section> |
248 |
<title>Using Aliases</title> |
249 |
<body> |
250 |
|
251 |
<p> |
252 |
In larger environments having to enter all users over and over again (or hosts, |
253 |
or commands) can be a daunting task. To ease the administration of |
254 |
<path>/etc/sudoers</path> you can define <e>aliases</e>. The format to declare |
255 |
aliases is quite simple: |
256 |
</p> |
257 |
|
258 |
|
259 |
|
260 |
-- |
261 |
gentoo-doc-cvs@g.o mailing list |