On 11/21/2013 02:50 PM, Pierre Labastie wrote: > Le 21/11/2013 19:45, Dan McGhee a écrit : >> This is the first time I have setup and configured 'sudo' in an LFS >> build. I'm trying to learn this so that if I add an account for someone >> besides me I can set it up. >> >> I want to be able to run halt, shutdown and reboot without invoking sudo >> or su and without using a password. I know I can do this by adding >> /sbin to my LFS path, but that would forestall any learning I'm trying >> to do. >> >> I think that the first thing I must do is add aliases to either .bashrc >> or .bash_profile for 'sudo reboot' et al. Once I figure out which file >> to put that in I think it's just a matter of >> >> alias=<something> <comand> >> >> Then I need to edit the line "dan ALL=(ALL) ALL" in /etc/sudoers to read: >> >> dan ALL=(ALL) ALL:NOPASSWD /sbin/halt,/sbin/shutdown,/sbin/reboot >> >> Am I on the right track? >> > Hi Dan, > > I think you want: > dan ALL=(ALL) NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot > > allows user dan to run only those three commands, without a password > > or maybe: > dan ALL=(ALL) ALL, NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot > > allows user Dan to run any command with a password, and the 3 commands without > a password. > > But beware: > the first ALL (the one after dan) means that user dan can run the commands > when connected from anywhere. Since those commands are for machine > maintenance, I would restrict the user to run from the machine. So the > beginning before the '=' sign might be: > dan dan_machine = > > Then the (ALL) in parenthesis means that the command can be run as any user. > since the default is root, I would suppress that part (I guess you want the > commands to be run as root). > So the line could eventually be: > dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot > > I suggest you add a file (say 10-dan) in /etc/sudoers.d containing only that > line. (If /etc/sudoers.d does not exist, create it as root with mode 550). > The file 10-dan should have mode 440, and should belong to root too. > Once you have created /etc/sudoers.d, then it is advised to use: > su -c 'sudoedit /etc/sudoers.d/10-dan' > (if that does not open the editor you like, add EDITOR=/usr/bin/youreditor > before sudoedit). > > Now, if you want user dan to be able to run any command as any user from any > host (giving his own password), the file may read: > dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot > dan ALL=(ALL) ALL > > Hope it helps > Regards > Pierre It does, Pierre. Thanks. Much, much clearer than the "official" documentation.
Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
