Re: [CentOS-docs] becoming root

2008-04-21 Thread Nils Ratusznik 

Le Dim 20 avril 2008 18:45, Rafa#322; #346;lubowski a écrit :
 2008/4/20, Nils Ratusznik [EMAIL PROTECTED]:
  - Do we consider people who reach this page know at least how to edit a
 file with vi?

 It doesn't need to be vi because sudo uses $EDITOR (which defaults to
 vim in CentOS5) shell variable to run Your Beloved Editor (tm) :^)

 I've just mentioned it in the article.


Therefore the saving part (press escape, then type ZZ) can be removed.

Nils

___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS-docs] becoming root

2008-04-20 Thread Nils Ratusznik 

Akemi Yagi a écrit :

On Sat, Apr 19, 2008 at 12:20 PM, Ned Slider [EMAIL PROTECTED] wrote
  

 Cool - just wasn't sure if it needed something more :)



I have made some minor addition and changes to the sudo section.  Hope
it is still looking good.

Akemi

Hi,

it is still looking good to me. Just two little things :
- Do we consider people who reach this page know at least how to edit a 
file with vi? I ask this because I mentionned how to save the sudoers 
file but not how to edit it; since it is a sudo howto and not a vi 
howto, maybe this part could be changed (something like : if you don't 
know how to use vi, follow this link, with a link to a vi howto).
- About the NOPASSWD version of the quick and dirty setup : I'm not 
against it if there is a big fat warning sign attached.


Nils
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS-docs] becoming root

2008-04-18 Thread Nils Ratusznik 

Akemi Yagi a écrit :

Excellent!  Guess Alan can polish it up if needed :-D

Akemi

Your help is also welcome ;)

Here is what I wrote. I wrote it without wiki syntax so  someone will 
surely polish it up.


Regards,

Nils
You don't need to be root everytime you want to run some specific 
administrative tasks.
Thanks to sudo, you can run some or every command as root.

Once sudo is installed (package name : sudo), you can configure it by running 
visudo as root. Basically, it runs vi on /etc/sudoers, but it is not 
recommended to do it manually.

If you are on a desktop computer, you will want to be able to do almost 
everything. So, the quick and dirty way to use sudo would be to add at the end 
of the sudoers file :

bobALL=(ALL)   ALL

where bob is the name of the user. Save (press escape, then type ZZ), and you 
are ready to go. Log in as bob, and run for example :

$sudo yum update

sudo will ask for a password. This password is bob's password, and not root's 
password, so be careful when you give rights to a user with sudo.


But sudo can do more. We can allow an user or a group of users to run only one 
command, or a group of commands. Let's go back to our sudoers file (which is, 
by the way, well commented on CentOS 5).

Let's start with bob and alice, members of a group named admin. If we want 
every users of admin to be able to run every command as root, we can modify 
our example :

%adminALL=(ALL)   ALL

bob can still do his stuff, and alice is now allowed to run sudo, with the same 
rights, with her password.

If bob and alice are not in the same group, we can define a user alias in the 
sudoers file :

User_Alias ADMINS = alice, bob

here we define an alias named ADMINS, with alice and bob as members.

However, we don't want alice and bob to run every command as root, we want them 
to run only updatedb. Let's define a command alias :

Cmnd_Alias LOCATE = /usr/sbin/updatedb

But it's not enough ! We need to tell sudo the users defined in ADMINS can run 
the commands defined in LOCATE. To do this, we replace the line with %admin 
with this line :

ADMINS ALL = LOCATE

it means that users of alias ADMINS can run ALL the commands in the LOCATE 
alias.

At this time, /etc/sudoers looks like this :

User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
ADMINS ALL = LOCATE

alice and bob should be able to run updatedb as root, by giving their password. 
If we replace the last line of the file with :

ADMINS ALL = NOPASSWD: LOCATE

alice and bob can run sudo updatedb without entering a password. It is 
possible to add more commands in a command alias and more aliases in the rule.
For example, we can create an alias named NETWORKING containing some networking 
commands like ifconfig, route or iwconfig :

Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, 
/usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, 
/sbin/mii-tool

Let's add this to our /etc/sudoers file (with visudo !), and give it access to 
our ADMINS group of users, the /etc/sudoers now looks like this :

User_Alias ADMINS = alice, bob
Cmnd_Alias LOCATE = /usr/bin/updatedb
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, 
/usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, 
/sbin/mii-tool
ADMINS ALL = LOCATE, NETWORKING

A little try : log in as alice (or bob), and type :

$ping -c 10 -i 0 localhost

the answer should come quickly :

PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms

Now, let's sudo it :
$sudo ping -c 10 -i 0 localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.021 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.030 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=5 ttl=64 time=0.017 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=6 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=7 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=8 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=9 ttl=64 time=0.016 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=10 ttl=64 time=0.016 
ms

--- localhost.localdomain ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 0.016/0.023/0.049/0.010 ms, ipg/ewma 0.187/0.028 ms

That's it. Now never forget, when using sudo : with great power comes great 
responsibility.
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS-docs] becoming root

2008-04-18 Thread Nils Ratusznik 

Akemi Yagi a écrit :

On Fri, Apr 18, 2008 at 12:09 PM, Manuel Wolfshant
[EMAIL PROTECTED] wrote:
  

On 04/18/2008 09:27 PM, Akemi Yagi wrote:



Looking good to me.  One thing that may be worth mentioning is that
all sudo commands are logged in /var/log/secure.  In the above
example, it will look like:

Apr 18 11:23:17 localhost sudo: bob  : TTY=pts/0 ; PWD=/home/bob ;
USER=root ; COMMAND=/bin/ping -c 10 -i 0 localhost

I think this is a nice feature.  Commands executed by real root are
not logged except in root's .history file, if I'm not mistaken.

  

 you are not mistaken :)

 should I mention that my /etc/sudoers ends for quite sometime with:
   wolfy   ALL=(ALL) NOPASSWD: ALL
 ? neah, guess not :)



Well, I have that line all over the place (except it does not say wolfy) :-D

Akemi

  


You both know what you are doing, right?
Do all the people who will read this wiki page know what the will do 
with this?
I prefer people guessing this and be aware of what they do instead of 
not learning what sudo is and what are its possibilities.


Nils
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs