[gentoo-doc-cvs] cvs commit: sudo-guide.xml - gentoo-doc-cvs

From:	Sven Vermeulen <swift@×××××××××××.org>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] cvs commit: sudo-guide.xml
Date:	Tue, 02 Aug 2005 18:00:03
Message-Id:	`200508021759.j72HxMlB027016@robin.gentoo.org`

1

swift       05/08/02 17:59:29

2

3

  Modified:    xml/htdocs/doc/en metadoc.xml

4

  Added:       xml/htdocs/doc/en sudo-guide.xml

5

  Log:

6

  Committing sudo(ers) guide

7

8

Revision  Changes    Path

9

1.93      +6 -1      xml/htdocs/doc/en/metadoc.xml

10

11

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/x-cvsweb-markup&cvsroot=gentoo

12

plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/plain&cvsroot=gentoo

13

diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml.diff?r1=1.92&r2=1.93&cvsroot=gentoo

14

15

Index: metadoc.xml

16

===================================================================

17

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v

18

retrieving revision 1.92

19

retrieving revision 1.93

20

diff -u -r1.92 -r1.93

21

--- metadoc.xml	1 Aug 2005 15:52:23 -0000	1.92

22

+++ metadoc.xml	2 Aug 2005 17:59:29 -0000	1.93

23

@@ -1,5 +1,5 @@

24

 <?xml version='1.0' encoding="UTF-8"?>

25

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.92 2005/08/01 15:52:23 swift Exp $ -->

26

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.93 2005/08/02 17:59:29 swift Exp $ -->

27

 <!DOCTYPE metadoc SYSTEM "/dtd/metadoc.dtd">

28

29

 <metadoc lang="en">

30

@@ -362,6 +362,7 @@

31

     <file id="apache-troubleshooting">/doc/en/apache-troubleshooting.xml</file>

32

     <file id="apache-upgrading">/doc/en/apache-upgrading.xml</file>

33

     <file id="apache-developer">/doc/en/apache-developer.xml</file>

34

+    <file id="sudo-guide">/doc/en/sudo-guide.xml</file>

35

   </files>

36

   <docs>

37

     <doc id="name-logo">

38

@@ -994,5 +995,9 @@

39

       <memberof>gentoodev_docs</memberof>

40

       <fileid>apache-developer</fileid>

41

     </doc>

42

+    <doc id="sudo-guide">

43

+      <memberof>sysadmin_general</memberof>

44

+      <fileid>sudo-guide</fileid>

45

+    </doc>

46

   </docs>

47

 </metadoc>

1.1                  xml/htdocs/doc/en/sudo-guide.xml

52

53

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo

54

plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo

55

56

Index: sudo-guide.xml

57

===================================================================

58

<?xml version='1.0' encoding="UTF-8"?>

59

60

<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/sudo-guide.xml,v 1.1 2005/08/02 17:59:29 swift Exp $ -->

61

62

<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

63

64

<guide link="/doc/en/sudo-guide.xml">

65

<title>Gentoo Sudo(ers) Guide</title>

66

67

<author title="Author">

68

  <mail link="swift@g.o">Sven Vermeulen</mail>

69

</author>

70

71

<abstract>

72

When you want some people to perform certain administrative steps on your 

73

system without granting them total root access, using sudo is your best option.

74

With sudo you can control who can do what. This guide offers you a small

75

introduction to this wonderful tool.

76

</abstract>

77

78

<!-- The content of this document is licensed under the CC-BY-SA license -->

79

<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->

80

<license/>

81

82

<version>1.0</version>

83

<date>2005-08-02</date>

84

85

<chapter>

86

<title>About Sudo</title>

87

<section>

88

<title>Granting Permissions</title>

89

<body>

90

91

<p>

92

The <c>app-admin/sudo</c> package allows the system administrator to grant

93

permission to other users to execute one or more applications they would

94

normally have no right to. Unlike using the <e>setuid</e> bit on these

95

applications <c>sudo</c> gives a more fine-grained control on <e>who</e> can

96

execute a certain command and <e>when</e>.

97

</p>

98

99

<p>

100

With <c>sudo</c> you can make a clear list <e>who</e> can execute a certain

101

application. If you would set the setuid bit, any user would be able to run this

102

application (or any user of a certain group, depending on the permissions used).

103

You can (and probably even should) require the user to provide a password when

104

he wants to execute the application and you can even fine-tune the permissions

105

based on the location where the user is at: if he is logged on from the system

106

itself or through SSH from a remote site.

107

</p>

108

109

</body>

110

</section>

111

<section>

112

<title>Logging Activity</title>

113

<body>

114

115

<p>

116

One additional advantage of <c>sudo</c> is that it can log any attempt

117

(successful or not) to run an application. This is very useful if you want to

118

track who made that one fatal mistake that took you 10 hours to fix :)

119

</p>

120

121

</body>

122

</section>

123

<section>

124

<title>Configuring Sudo</title>

125

<body>

126

127

<p>

128

The <c>sudo</c> configuration is managed by the <path>/etc/sudoers</path> file.

129

This file should never be edited through <c>nano&nbsp;/etc/sudoers</c> or

130

<c>vim&nbsp;/etc/sudoers</c> or any other editor you might like. When you want

131

to alter this file, you should use <c>visudo</c>. 

132

</p>

133

134

<p>

135

This tool makes sure that no two system administrators are editing this file at

136

the same time, preserves the permissions on the file and performs some syntax

137

checking to make sure you make no fatal mistakes in the file.

138

</p>

139

140

</body>

141

</section>

142

<section>

143

<title>About this Guide</title>

144

<body>

145

146

<p>

147

This guide is meant as a quick introduction. The <c>sudo</c> package is a lot

148

more powerful than what is described in this guide. It has special features for

149

editing files as a different user (<c>sudoedit</c>), running from within a

150

script (so it can background, read the password from standard in instead of the

151

keyboard, ...), etc.

152

</p>

153

154

</body>

155

</section>

156

</chapter>

157

158

<chapter>

159

<title>Sudoers Syntax</title>

160

<section>

161

<title>Basic Syntax</title>

162

<body>

163

164

<p>

165

The most difficult part of <c>sudo</c> is the <path>/etc/sudoers</path> syntax.

166

The basic syntax is like so:

167

</p>

168

169

<pre caption="Basic /etc/sudoers syntax">

170

user  host = commands

171

</pre>

172

173

<p>

174

This syntax tells <c>sudo</c> that the user, identified by <e>user</e> and

175

logged on through the system <e>host</e> can execute any of the commands listed

176

in <e>commands</e> as the root user. A more real-life example might make this

177

more clear: allow the user <e>swift</e> to execute <c>emerge</c> if he is logged

178

on from the system (not through SSH):

179

</p>

180

181

<pre caption="Live /etc/sudoers examples">

182

swift  localhost = /usr/bin/emerge

183

</pre>

184

185

<p>

186

The user name can also be substituted with a group name - in this case you should

187

start the group name with a <c>%</c> sign. For instance, to allow any one in

188

the <c>wheel</c> group to execute <c>emerge</c>:

189

</p>

190

191

<pre caption="Allowing the wheel group members to execute emerge">

192

%wheel  localhost = /usr/bin/emerge

193

</pre>

194

195

<p>

196

You can extend the line to allow for several commands (instead of making a

197

single entry for each command). For instance, to allow the same user to not only

198

run <c>emerge</c> but also <c>ebuild</c> and <c>emerge-webrsync</c> as root:

199

</p>

200

201

<pre caption="Multiple commands">

202

swift  localhost = /usr/bin/emerge, /usr/bin/ebuild, /usr/sbin/emerge-webrsync

203

</pre>

204

205

<p>

206

You can also specify a precise command and not only the tool itself. This is

207

useful to restrict the use of a certain tool to a specified set of command

208

options. The <c>sudo</c> tool allows for regular expressions to be used as well.

209

</p>

210

211

<p>

212

Let us put this to the test:

213

</p>

214

215

<pre caption="Attempt to update the system using sudo">

216

$ <i>sudo emerge -uDN world</i>

217

218

We trust you have received the usual lecture from the local System

219

Administrator. It usually boils down to these three things:

220

221

    #1) Respect the privacy of others.

222

    #2) Think before you type.

223

    #3) With great power comes great responsibility.

224

225

Password: <comment>(Enter the user password, not root!)</comment>

226

</pre>

227

228

<p>

229

The password that <c>sudo</c> requires is the user his own password. This is to

230

make sure that no terminal that you accidentally left open to others is abused

231

for malicious purposes.

232

</p>

233

234

<p>

235

You should know that <c>sudo</c> does not alter the <c>${PATH}</c> variable: any

236

command you place after <c>sudo</c> is treated from <e>your</e> environment. If

237

you want the user to run a tool in for instance <path>/sbin</path> he should

238

provide the full path to <c>sudo</c>, like so:

239

</p>

240

241

<pre caption="Using the full path to a tool">

242

$ <i>sudo /usr/sbin/emerge-webrsync</i>

243

</pre>

244

245

</body>

246

</section>

247

<section>

248

<title>Using Aliases</title>

249

<body>

250

251

<p>

252

In larger environments having to enter all users over and over again (or hosts,

253

or commands) can be a daunting task. To ease the administration of

254

<path>/etc/sudoers</path> you can define <e>aliases</e>. The format to declare

255

aliases is quite simple:

256

</p>

--

261

gentoo-doc-cvs@g.o mailing list

1	swift 05/08/02 17:59:29
2
3	Modified: xml/htdocs/doc/en metadoc.xml
4	Added: xml/htdocs/doc/en sudo-guide.xml
5	Log:
6	Committing sudo(ers) guide
7
8	Revision Changes Path
9	1.93 +6 -1 xml/htdocs/doc/en/metadoc.xml
10
11	file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/x-cvsweb-markup&cvsroot=gentoo
12	plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml?rev=1.93&content-type=text/plain&cvsroot=gentoo
13	diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/metadoc.xml.diff?r1=1.92&r2=1.93&cvsroot=gentoo
14
15	Index: metadoc.xml
16	===================================================================
17	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v
18	retrieving revision 1.92
19	retrieving revision 1.93
20	diff -u -r1.92 -r1.93
21	--- metadoc.xml 1 Aug 2005 15:52:23 -0000 1.92
22	+++ metadoc.xml 2 Aug 2005 17:59:29 -0000 1.93
23	@@ -1,5 +1,5 @@
24	<?xml version='1.0' encoding="UTF-8"?>
25	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.92 2005/08/01 15:52:23 swift Exp $ -->
26	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/metadoc.xml,v 1.93 2005/08/02 17:59:29 swift Exp $ -->
27	<!DOCTYPE metadoc SYSTEM "/dtd/metadoc.dtd">
28
29	<metadoc lang="en">
30	@@ -362,6 +362,7 @@
31	<file id="apache-troubleshooting">/doc/en/apache-troubleshooting.xml</file>
32	<file id="apache-upgrading">/doc/en/apache-upgrading.xml</file>
33	<file id="apache-developer">/doc/en/apache-developer.xml</file>
34	+ <file id="sudo-guide">/doc/en/sudo-guide.xml</file>
35	</files>
36	<docs>
37	<doc id="name-logo">
38	@@ -994,5 +995,9 @@
39	<memberof>gentoodev_docs</memberof>
40	<fileid>apache-developer</fileid>
41	</doc>
42	+ <doc id="sudo-guide">
43	+ <memberof>sysadmin_general</memberof>
44	+ <fileid>sudo-guide</fileid>
45	+ </doc>
46	</docs>
47	</metadoc>
48
49
50
51	1.1 xml/htdocs/doc/en/sudo-guide.xml
52
53	file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo
54	plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/sudo-guide.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo
55
56	Index: sudo-guide.xml
57	===================================================================
58	<?xml version='1.0' encoding="UTF-8"?>
59
60	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/sudo-guide.xml,v 1.1 2005/08/02 17:59:29 swift Exp $ -->
61
62	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
63
64	<guide link="/doc/en/sudo-guide.xml">
65	<title>Gentoo Sudo(ers) Guide</title>
66
67	<author title="Author">
68	<mail link="swift@g.o">Sven Vermeulen</mail>
69	</author>
70
71	<abstract>
72	When you want some people to perform certain administrative steps on your
73	system without granting them total root access, using sudo is your best option.
74	With sudo you can control who can do what. This guide offers you a small
75	introduction to this wonderful tool.
76	</abstract>
77
78	<!-- The content of this document is licensed under the CC-BY-SA license -->
79	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
80	<license/>
81
82	<version>1.0</version>
83	<date>2005-08-02</date>
84
85	<chapter>
86	<title>About Sudo</title>
87	<section>
88	<title>Granting Permissions</title>
89	<body>
90
91	<p>
92	The <c>app-admin/sudo</c> package allows the system administrator to grant
93	permission to other users to execute one or more applications they would
94	normally have no right to. Unlike using the <e>setuid</e> bit on these
95	applications <c>sudo</c> gives a more fine-grained control on <e>who</e> can
96	execute a certain command and <e>when</e>.
97	</p>
98
99	<p>
100	With <c>sudo</c> you can make a clear list <e>who</e> can execute a certain
101	application. If you would set the setuid bit, any user would be able to run this
102	application (or any user of a certain group, depending on the permissions used).
103	You can (and probably even should) require the user to provide a password when
104	he wants to execute the application and you can even fine-tune the permissions
105	based on the location where the user is at: if he is logged on from the system
106	itself or through SSH from a remote site.
107	</p>
108
109	</body>
110	</section>
111	<section>
112	<title>Logging Activity</title>
113	<body>
114
115	<p>
116	One additional advantage of <c>sudo</c> is that it can log any attempt
117	(successful or not) to run an application. This is very useful if you want to
118	track who made that one fatal mistake that took you 10 hours to fix :)
119	</p>
120
121	</body>
122	</section>
123	<section>
124	<title>Configuring Sudo</title>
125	<body>
126
127	<p>
128	The <c>sudo</c> configuration is managed by the <path>/etc/sudoers</path> file.
129	This file should never be edited through <c>nano /etc/sudoers</c> or
130	<c>vim /etc/sudoers</c> or any other editor you might like. When you want
131	to alter this file, you should use <c>visudo</c>.
132	</p>
133
134	<p>
135	This tool makes sure that no two system administrators are editing this file at
136	the same time, preserves the permissions on the file and performs some syntax
137	checking to make sure you make no fatal mistakes in the file.
138	</p>
139
140	</body>
141	</section>
142	<section>
143	<title>About this Guide</title>
144	<body>
145
146	<p>
147	This guide is meant as a quick introduction. The <c>sudo</c> package is a lot
148	more powerful than what is described in this guide. It has special features for
149	editing files as a different user (<c>sudoedit</c>), running from within a
150	script (so it can background, read the password from standard in instead of the
151	keyboard, ...), etc.
152	</p>
153
154	</body>
155	</section>
156	</chapter>
157
158	<chapter>
159	<title>Sudoers Syntax</title>
160	<section>
161	<title>Basic Syntax</title>
162	<body>
163
164	<p>
165	The most difficult part of <c>sudo</c> is the <path>/etc/sudoers</path> syntax.
166	The basic syntax is like so:
167	</p>
168
169	<pre caption="Basic /etc/sudoers syntax">
170	user host = commands
171	</pre>
172
173	<p>
174	This syntax tells <c>sudo</c> that the user, identified by <e>user</e> and
175	logged on through the system <e>host</e> can execute any of the commands listed
176	in <e>commands</e> as the root user. A more real-life example might make this
177	more clear: allow the user <e>swift</e> to execute <c>emerge</c> if he is logged
178	on from the system (not through SSH):
179	</p>
180
181	<pre caption="Live /etc/sudoers examples">
182	swift localhost = /usr/bin/emerge
183	</pre>
184
185	<p>
186	The user name can also be substituted with a group name - in this case you should
187	start the group name with a <c>%</c> sign. For instance, to allow any one in
188	the <c>wheel</c> group to execute <c>emerge</c>:
189	</p>
190
191	<pre caption="Allowing the wheel group members to execute emerge">
192	%wheel localhost = /usr/bin/emerge
193	</pre>
194
195	<p>
196	You can extend the line to allow for several commands (instead of making a
197	single entry for each command). For instance, to allow the same user to not only
198	run <c>emerge</c> but also <c>ebuild</c> and <c>emerge-webrsync</c> as root:
199	</p>
200
201	<pre caption="Multiple commands">
202	swift localhost = /usr/bin/emerge, /usr/bin/ebuild, /usr/sbin/emerge-webrsync
203	</pre>
204
205	<p>
206	You can also specify a precise command and not only the tool itself. This is
207	useful to restrict the use of a certain tool to a specified set of command
208	options. The <c>sudo</c> tool allows for regular expressions to be used as well.
209	</p>
210
211	<p>
212	Let us put this to the test:
213	</p>
214
215	<pre caption="Attempt to update the system using sudo">
216	$ <i>sudo emerge -uDN world</i>
217
218	We trust you have received the usual lecture from the local System
219	Administrator. It usually boils down to these three things:
220
221	#1) Respect the privacy of others.
222	#2) Think before you type.
223	#3) With great power comes great responsibility.
224
225	Password: <comment>(Enter the user password, not root!)</comment>
226	</pre>
227
228	<p>
229	The password that <c>sudo</c> requires is the user his own password. This is to
230	make sure that no terminal that you accidentally left open to others is abused
231	for malicious purposes.
232	</p>
233
234	<p>
235	You should know that <c>sudo</c> does not alter the <c>${PATH}</c> variable: any
236	command you place after <c>sudo</c> is treated from <e>your</e> environment. If
237	you want the user to run a tool in for instance <path>/sbin</path> he should
238	provide the full path to <c>sudo</c>, like so:
239	</p>
240
241	<pre caption="Using the full path to a tool">
242	$ <i>sudo /usr/sbin/emerge-webrsync</i>
243	</pre>
244
245	</body>
246	</section>
247	<section>
248	<title>Using Aliases</title>
249	<body>
250
251	<p>
252	In larger environments having to enter all users over and over again (or hosts,
253	or commands) can be a daunting task. To ease the administration of
254	<path>/etc/sudoers</path> you can define <e>aliases</e>. The format to declare
255	aliases is quite simple:
256	</p>
257
258
259
260	--
261	gentoo-doc-cvs@g.o mailing list

Gentoo Archives: gentoo-doc-cvs