C.Beamer schreef:
> John Dangler wrote:
>
>
>>I’m looking into setting up sudo on my latest test box
>>(stage3/genkernel 2.6.12—r9)
>>
>>In portage, sudo says “Allows users or groups to run commands as other
>>users”. The latest stable shows *1.6.8_p9 (although the one before is
>>it unstable, and the one before that is stable) hmm…*
>>
>>Anyway, the use flags show “pam skey offensive ldap”
>>
>>Pam, I get… offensive and ldap – probably won’t use these. But skey…
>>
>>skey says it’s a “Linux Port of OpenBSD Single-key Password System”
>>That’s all the info I’ve been able to find out so far…
>>
>
> I'm fairly new to Gentoo, so am hardly an authority. However, I do have
> sudo working. This is how I did it.
>
> First, I did emerge --search sudo. Of course this returns the "packages"
> that have "sudo" in them. A friend told me to do 'emerge -av <package
> name>' This lists the available "use flags" for whatever package you
> name, for instance 'emerge -av sudo', which will list the available use
> flags for sudo.
>
> You also need to install vim because you have to edit the /etc/sudoers
> file in order to add a user name. If you display the sudoers file ('cat
> sudoers') it will tell you that the file *must* be edited by the visudo
> command as root.
You're not quite correct on this; the command that must be used is
indeed visudo, but that does not mean you need to use vi(m) to edit the
file. I do it with nano, myself.
But I think that's because my default editor (in /etc/rc.conf) is nano,
not vi.
>
> In the sudoers file, below the line that reads:
> root ALL=(ALL) ALL
>
> you enter the information for the user.
>
> I have 'colleen' set up as a user on my system, so it inserted the line:
>
> colleen ALL=(ALL) ALL
>
> Someone might be able to give you better instructions related to
> security, but my system is stand alone and ergo colleen and root have
> the same privileges.
The more traditional way to do this is to uncomment the line already
present in the file
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
Remove the "#" mark to uncomment the command, and if you are a member of
the wheel group, which you should be, if you want to run su in the first
place (which of course you do, if you want to use sudo), then you're done.
The cool thing about this all is that it allows you to set up aliases in
your .bashrc that make specific commands you might want to run as root
go much faster.
If you also set up a subset of root-only commands (such as emerge,
glsa-check, etc-update, "nano /etc/portage/package.keywords") to be
allowed to run without a password, it goes faster still with the use of
aliases, because then you can alias things like
alias emerge='sudo emerge_with_indexing_for_cfg-update'
and then you can just type 'emerge -blah whatever' in a regular old
console and get on with your life. It's not like emerging things doesn't
take long enough without having to type in a password (and since I'm
used to su-ing rather than sudo-ing, I always type the wrong one and get
kicked out anyway ;) so it takes even longer since I have to start all
over again).
There is no real way to make allowing anyone to sudo really secure
(because it's inherently insecure to punch holes in your 'who's allowed
to do what' scheme), other than making sure that you trust those who you
do allow (in this case, since it's yourself, that's not an issue), and
making sure that no one has access to your machine that could use your
trust of yourself against you (i.e., if someone had physical access to
your login, or gained such access through hacking, they would have all
the access of colleen, who has all the access of root, rather than
having to try and brute-force the root password out of you/your system).
But that's what firewalls and encryption (and turning off/logging out of
your PC when irresponsible or untrustowrthy people are around) are for.
Holly
--
gentoo-user@gentoo.org mailing list
