| Tips Linux Explorers | |
All Things Linux Forum | |
Great Linux Links | |
LinuxClues.com | |
Hometown | |
| CODE |
| $ sudo mount /dev/hda7 /mnt/loop |
| CODE |
| # vi /etc/sudoers |
| CODE |
| $
su < password > # visudo |
| QUOTE (Text @ Sudoers File) |
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now |
| QUOTE (Text @ Sudoers File) |
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now |
| QUOTE (Text @ Sudoers File) |
# %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL |
| CODE |
| $ man sudo |
| QUOTE (Text @ Manpage Sudo) |
| SECURITY
NOTES sudo tries to be safe when executing external commands. Variables that control how dynamic loading and binding is done can be used to subvert the program that sudo runs. To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables are removed from the environment passed on to all commands executed. sudo will also remove the IFS, ENV, BASH_ENV, KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, TERMINFO_DIRS and TERMPATH variables as they too can pose a threat. If the TERMCAP variable is set and is a pathname, it too is ignored. Additionally, if the LC_* or LANGUAGE variables contain the / or % characters, they are ignored. If sudo has been com- piled with SecurID support, the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as well. The list of environment variables that sudo clears is contained in the output of sudo -V when run as root. To prevent command spoofing, sudo checks "." and "" (both denoting cur- rent directory) last when searching for a command in the user's PATH (if one or both are in the PATH). Note, however, that the actual PATH environment variable is not modified and is passed unchanged to the program that sudo executes. For security reasons, if your OS supports shared libraries and does not disable user-defined library search paths for setuid programs (most do), you should either use a linker option that disables this behavior or link sudo statically. sudo will check the ownership of its timestamp directory (/var/run/sudo by default) and ignore the directory's contents if it is not owned by root and only writable by root. On systems that allow non-root users to give away files via chown(2), if the timestamp directory is located in a directory writable by anyone (e.g.: /tmp), it is possible for a user to create the timestamp directory before sudo is run. However, because sudo checks the ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the timestamp dir. This is unlikely to happen since once the timestamp dir is owned by root and inaccessible by any other user the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world- writable for the timestamps (/var/adm/sudo for instance) or create /var/run/sudo with the appropriate owner (root) and permissions (0700) in the system startup files. sudo will not honor timestamps set far in the future. Timestamps with a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. Please note that sudo will only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent commands run from that shell will not be logged, nor will sudo's access control affect them. The same is true for commands that offer shell escapes (including most editors). Because of this, care must be taken when giving users access to commands via sudo to verify that the command does not inadvertantly give the user an effective root shell. |
Bruno
| Tips Linux Explorers | |
All Things Linux Forum | |
Great Linux Links | |
LinuxClues.com | |
Hometown | |