Saturday, October 10, 2009

Sudo: How to provide access rights to a user?

The syntax of the file is pretty explanatory,

Quote:

user MACHINE=COMMANDS

So if the username is 'eth1' and you want to provide access to the command /sbin/mount to the user then,

Quote:

eth1 ALL=/sbin/mount

Example:
Quote:
username ALL=NOPASSWD: /sbin/fdisk

Find out the path of command using

which fdisk or etc..

Also, You can also split the specifications up using User_Alias and Cmnd_Alias to make it a little easier to organize.
Here is a contrived example for ya'.


Code:
### User Aliases

## This is a list of users that have the ability to sudo the same commands.
User_Alias USERLST1=user1,user2

## This group has the ability to sudo the same commands.
## 'webadmgp' is a primary or secondary group that some of your users have.
User_Alias WEBGROUP=%webadmgp


### Command Aliases

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Webadmin
Cmnd_Alias WEBADMIN = /etc/rc.d/init.d/httpd


### The Commands Section

## The USERLST1 users (user1 and user2) can sudo all the commands listed in Cmnd_Alias STORAGE.
## They don't need to enter a password.

USERLST1 ALL=NOPASSWD: STORAGE

## The WEBGROUP users (every user that has 'webadmgp' as a primary or secondary group)
## can sudo all of the commands listed in the NETWORKING an WEBADMIN Cmnd_Alias lists.
## They don't need to enter a password either.

WEBGROUP ALL=NOPASSWD: NETWORKING,WEBADMINWhere things go doesn't seem to be important.

When you save the file, 'visudo' will tell you if you have a syntax error or some inconsistancy.

And be careful if you cut and paste into the file. If you cut a single long line that has wrapped on your screen, it'll paste in as multiple lines. When you file, 'visudo' will complain...

1 comment: