2009-06-18

sudo - How to create another root (equivalent) account on linux or freebsd

The usual root account are meant for critical task, such as single user mode related operation. It hails the power of the system, as well the power of destruction (try "rm -rf /" :p). That's the reason why a lot of company have a policy to seal the root account or make some red tape so that one will give up requesting to use it. But sealing the root account will make daily routine system administration task difficult to execute.

No worries, sudo is the tool to clone another account with root privilege or control the access of critical command of a linux or BSD box. Every command that runs through sudo will be log to /var/log/auth.log.

- use,
visudo
to configure sudo what user can run privilege commands. The editor will also check the syntax if there is any typo.

- the syntax to let a user to run any command without prompting password is :
<username> ALL=NOPASSWD: ALL
e.g.
joe ALL=NOPASSWD: ALL
The above line will caused the user "joe" to run any privilege commands with sudo but it will not prompt for password.

- similarly, the below syntax will caused the user "bob" to enter password every time he run any command with sudo :
<username> ALL=ALL
e.g.
bob ALL=PASSWD:ALL

- to prevent a sudo user to run certain commands, the syntax is :
<username>   ALL=NOPASSWD: ALL, !<command with full path>
e.g.
joe ALL=NOPASSWD:ALL, !/bin/su
this would prevent username joe to run the "su" command.

- sudo also supports grouping to ease user management :
User_Alias      <group name> = user1, user2, userblahblah
e.g.
User_Alias superusers=bob, joe

User_Alias normalusers=tom, dick, harry

superusers ALL=NOPASSWD: ALL
normalusers ALL=ALL, !/usr/bin/su
this would allow users in the group "superusers" to run any command without password and the users in the group "normalusers" to run all command (except "su") but with password authentication.

Annyong-hi kyeshipshio !!!

No comments: