Hi, Does anyone have some nice sudotricks to show off? I'd like to see some examples and tips that I might use for my own setup. Also, what is needed in a users environment to be able to run SuSE style rc<servername> scripts? Tarjei
* Tarjei Huse
I'd like to see some examples and tips that I might use for my own setup. Also, what is needed in a users environment to be able to run SuSE style rc<servername> scripts?
Root privileges for the particular (or all) server and path_name. Sudo does not, AFAIK, provide root paths. But 'su1' will/does. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org
On Wednesday 13 August 2003 06:41, Tarjei Huse wrote:
Hi,
Does anyone have some nice sudotricks to show off?
I'd like to see some examples and tips that I might use for my own setup. Also, what is needed in a users environment to be able to run SuSE style rc<servername> scripts?
Tarjei
Tarjei - Have been using "sudo" for years, on many different *nix OSes. There are many ways to implement it; I like it because it logs all commands, and I can always go back and see what I did. Here's my sudoers file: # # This file MUST be edited with the 'visudo' command as root. # #--------------------------------------------------------------------------- # User aliases allow groups of users (like /etc/group) to be granted a # common set of "sudo" privileges #--------------------------------------------------------------------------- # # User alias specification # # FULLSA is the System Admin team, including contractors # User_Alias FULLSA=markea # # OPERATOR are the system operators # User_Alias OPERATOR=bfb3,sxn7 # # Oracle user is oracle on some machines, oracle7 on others # User_Alias DBAS=oracle,orahrprd,orahrvol,orahrtst,pshrprd,pshrvol,pshrtst # #--------------------------------------------------------------------------- # Runas aliases allow one account to "run as" another #--------------------------------------------------------------------------- # # Runas alias specification # Runas_Alias OP=root,operator #--------------------------------------------------------------------------- # Command aliases allow privileges to be granted on a "per command" basis #--------------------------------------------------------------------------- # # Cmnd alias specification # # # DUMPS grants access to command-line backup/restore tools # Cmnd_Alias DUMPS=/usr/sbin/dump, \ /sbin/restore, \ /usr/sbin/fbackup, \ /sbin/frecover # Cmnd_Alias KILL=/usr/bin/kill # # PRINTING is the list of commands for managing printers/queues # Cmnd_Alias PRINTING=/bin/cancel,\ /usr/sbin/accept,\ /usr/sbin/reject,\ /usr/bin/enable,\ /usr/bin/disable,\ /usr/sbin/lpadmin,\ /usr/sbin/lpmove,\ /opt/hpnp/bin/jetadmin,\ /usr/sbin/lpsched,\ /usr/sbin/lpshut # # Shutdown and reboot commands # Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown Cmnd_Alias HALT=/usr/sbin/halt Cmnd_Alias REBOOT=/usr/sbin/reboot # # List of shells for disallowing root shells to users # Cmnd_Alias SHELLS=/bin/sh,\ /bin/csh,\ /bin/ksh,\ /bin/rksh,\ /opt/local/bin/bash,\ /bin/bash,\ /opt/local/bin/tcsh,\ /bin/tcsh # # Restricting "su" prevents users becoming root by "su -" or "su - root" # Cmnd_Alias SU=/bin/su,\ /usr/bin/su # # "vipw" and "/bin/passwd" edit the password file -- VERY DANGEROUS # Cmnd_Alias VIPW=/usr/ucb/vipw,/bin/passwd # # "ftp" should NOT be allowed as root -- handle with care # Cmnd_Alias FTP=/usr/bin/ftp # # The "ch" commands are here for users like the Webmaster, who need to change # ownership/permissions of files uploaded by other users # Cmnd_Alias CHFILES=/bin/chmod,/bin/chown,/bin/chgrp # # The "OROOT" alias allows the Oracle user to run the "root.sh" portion of # Oracle installation routines as root without requiring a SysAdmin to help # The "mount" and "unmount" allow the DBAs to mount Oracle CDs for install # Cmnd_Alias OROOT=/*/orainst/root.sh,\ /cdrom/orainst/orainst Cmnd_Alias BEORACLE=/usr/bin/su - oracle Cmnd_Alias MNTCMDS=/sbin/mount,\ /sbin/umount Cmnd_Alias WEBSRV=/opt/netscape/suitespot/restart-admin,\ /opt/netscape/suitespot/start-admin,\ /opt/netscape/suitespot/stop-admin,\ /opt/netscape/suitespot/https-*/start,\ /opt/netscape/suitespot/https-*/restart,\ /opt/netscape/suitespot/https-*/stop,\ /etc/init.d/owas-admin,\ /etc/init.d/owas,\ /opt/local/adm/webperm # # The "rcp" command for use by the DBA's to move file between domains # Cmnd_Alias RCP=/usr/bin/rcp #--------------------------------------------------------------------------- # User specifications associate commands, users and privileges #--------------------------------------------------------------------------- # # User specification # # root can run anything on any machine as any user root ALL=(ALL) ALL #*************************************************************************** # Permissions for SysAdmin team -- allow on ALL machines #*************************************************************************** FULLSA ALL=NOPASSWD:ALL,!/usr/bin/su - root,!/usr/bin/su - #*************************************************************************** # Permissions for Oracle user -- allow on all Oracle machines # Oracle user can not "su" or run shells as root, but they can # mount/unmount CDs, run "root.sh" and chown/chgrp/chmod #*************************************************************************** DBAS ALL=!SU,!SHELLS,CHFILES,OROOT,MNTCMDS,RCP #--------------------------------------------------------------------------- Mark Almeida -- Powered by SuSE Linux Pro 8.2/Kmail 1.5.3
(top quoting I know...) This was just the thing I wanted, thanks a lot! Tarjei On Wed, 2003-08-13 at 17:52, The Wizard wrote:
On Wednesday 13 August 2003 06:41, Tarjei Huse wrote:
Hi,
Does anyone have some nice sudotricks to show off?
I'd like to see some examples and tips that I might use for my own setup. Also, what is needed in a users environment to be able to run SuSE style rc<servername> scripts?
Tarjei
Tarjei - Have been using "sudo" for years, on many different *nix OSes. There are many ways to implement it; I like it because it logs all commands, and I can always go back and see what I did. Here's my sudoers file:
# # This file MUST be edited with the 'visudo' command as root. #
#--------------------------------------------------------------------------- # User aliases allow groups of users (like /etc/group) to be granted a # common set of "sudo" privileges #--------------------------------------------------------------------------- # # User alias specification # # FULLSA is the System Admin team, including contractors # User_Alias FULLSA=markea # # OPERATOR are the system operators # User_Alias OPERATOR=bfb3,sxn7 # # Oracle user is oracle on some machines, oracle7 on others # User_Alias DBAS=oracle,orahrprd,orahrvol,orahrtst,pshrprd,pshrvol,pshrtst # #--------------------------------------------------------------------------- # Runas aliases allow one account to "run as" another #--------------------------------------------------------------------------- # # Runas alias specification # Runas_Alias OP=root,operator
#--------------------------------------------------------------------------- # Command aliases allow privileges to be granted on a "per command" basis #--------------------------------------------------------------------------- # # Cmnd alias specification # # # DUMPS grants access to command-line backup/restore tools # Cmnd_Alias DUMPS=/usr/sbin/dump, \ /sbin/restore, \ /usr/sbin/fbackup, \ /sbin/frecover # Cmnd_Alias KILL=/usr/bin/kill # # PRINTING is the list of commands for managing printers/queues # Cmnd_Alias PRINTING=/bin/cancel,\ /usr/sbin/accept,\ /usr/sbin/reject,\ /usr/bin/enable,\ /usr/bin/disable,\ /usr/sbin/lpadmin,\ /usr/sbin/lpmove,\ /opt/hpnp/bin/jetadmin,\ /usr/sbin/lpsched,\ /usr/sbin/lpshut # # Shutdown and reboot commands # Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown Cmnd_Alias HALT=/usr/sbin/halt Cmnd_Alias REBOOT=/usr/sbin/reboot # # List of shells for disallowing root shells to users # Cmnd_Alias SHELLS=/bin/sh,\ /bin/csh,\ /bin/ksh,\ /bin/rksh,\ /opt/local/bin/bash,\ /bin/bash,\ /opt/local/bin/tcsh,\ /bin/tcsh # # Restricting "su" prevents users becoming root by "su -" or "su - root" # Cmnd_Alias SU=/bin/su,\ /usr/bin/su # # "vipw" and "/bin/passwd" edit the password file -- VERY DANGEROUS # Cmnd_Alias VIPW=/usr/ucb/vipw,/bin/passwd # # "ftp" should NOT be allowed as root -- handle with care # Cmnd_Alias FTP=/usr/bin/ftp # # The "ch" commands are here for users like the Webmaster, who need to change # ownership/permissions of files uploaded by other users # Cmnd_Alias CHFILES=/bin/chmod,/bin/chown,/bin/chgrp # # The "OROOT" alias allows the Oracle user to run the "root.sh" portion of # Oracle installation routines as root without requiring a SysAdmin to help # The "mount" and "unmount" allow the DBAs to mount Oracle CDs for install # Cmnd_Alias OROOT=/*/orainst/root.sh,\ /cdrom/orainst/orainst
Cmnd_Alias BEORACLE=/usr/bin/su - oracle
Cmnd_Alias MNTCMDS=/sbin/mount,\ /sbin/umount
Cmnd_Alias WEBSRV=/opt/netscape/suitespot/restart-admin,\ /opt/netscape/suitespot/start-admin,\ /opt/netscape/suitespot/stop-admin,\ /opt/netscape/suitespot/https-*/start,\ /opt/netscape/suitespot/https-*/restart,\ /opt/netscape/suitespot/https-*/stop,\ /etc/init.d/owas-admin,\ /etc/init.d/owas,\ /opt/local/adm/webperm # # The "rcp" command for use by the DBA's to move file between domains # Cmnd_Alias RCP=/usr/bin/rcp
#--------------------------------------------------------------------------- # User specifications associate commands, users and privileges #--------------------------------------------------------------------------- # # User specification #
# root can run anything on any machine as any user root ALL=(ALL) ALL
#*************************************************************************** # Permissions for SysAdmin team -- allow on ALL machines #*************************************************************************** FULLSA ALL=NOPASSWD:ALL,!/usr/bin/su - root,!/usr/bin/su -
#*************************************************************************** # Permissions for Oracle user -- allow on all Oracle machines # Oracle user can not "su" or run shells as root, but they can # mount/unmount CDs, run "root.sh" and chown/chgrp/chmod #*************************************************************************** DBAS ALL=!SU,!SHELLS,CHFILES,OROOT,MNTCMDS,RCP #---------------------------------------------------------------------------
Mark Almeida
The 03.08.14 at 00:28, Tarjei Huse wrote:
(top quoting I know...)
I don't mind top posting... But I do mind that you reposted 8 kylobytes of useless quotes! Please, don't do it. Some people, like me, have to pay the internet connection by the minutes, and your mail uses about 2 seconds of transmission time, multiplied by perhaps hundreds like me. We are not all on a bussiness network connection, where top posting and big repeated mails are not problematic. Please. -- Cheers, Carlos Robinson
participants (4)
-
Carlos E. R.
-
Patrick Shanahan
-
Tarjei Huse
-
The Wizard