Mailinglist Archive: opensuse (2731 mails)
| < Previous | Next > |
Re: [SLE] sudoers file
- From: Tarjei Huse <tarjei+a_lists.suse@xxxxx>
- Date: Thu, 14 Aug 2003 00:28:06 +0200
- Message-id: <1060813686.4983.122.camel@xxxxxxxxxxxxxxxxxxxxxxxxxx>
(top quoting I know...)
This was just the thing I wanted, thanks a lot!
Tarjei
On Wed, 2003-08-13 at 17:52, The Wizard wrote:
> On Wednesday 13 August 2003 06:41, Tarjei Huse wrote:
> > Hi,
> >
> > Does anyone have some nice sudotricks to show off?
> >
> > I'd like to see some examples and tips that I might use for my own
> > setup. Also, what is needed in a users environment to be able to run
> > SuSE style rc<servername> scripts?
> >
> > Tarjei
>
> Tarjei -
> Have been using "sudo" for years, on many different *nix OSes. There are
> many ways to implement it; I like it because it logs all commands, and I can
> always go back and see what I did. Here's my sudoers file:
>
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
>
> #---------------------------------------------------------------------------
> # User aliases allow groups of users (like /etc/group) to be granted a
> # common set of "sudo" privileges
> #---------------------------------------------------------------------------
> #
> # User alias specification
> #
> # FULLSA is the System Admin team, including contractors
> #
> User_Alias FULLSA=markea
> #
> # OPERATOR are the system operators
> #
> User_Alias OPERATOR=bfb3,sxn7
> #
> # Oracle user is oracle on some machines, oracle7 on others
> #
> User_Alias DBAS=oracle,orahrprd,orahrvol,orahrtst,pshrprd,pshrvol,pshrtst
> #
> #---------------------------------------------------------------------------
> # Runas aliases allow one account to "run as" another
> #---------------------------------------------------------------------------
> #
> # Runas alias specification
> #
> Runas_Alias OP=root,operator
>
> #---------------------------------------------------------------------------
> # Command aliases allow privileges to be granted on a "per command" basis
> #---------------------------------------------------------------------------
> #
> # Cmnd alias specification
> #
> #
> # DUMPS grants access to command-line backup/restore tools
> #
> Cmnd_Alias DUMPS=/usr/sbin/dump, \
> /sbin/restore, \
> /usr/sbin/fbackup, \
> /sbin/frecover
> #
> Cmnd_Alias KILL=/usr/bin/kill
> #
> # PRINTING is the list of commands for managing printers/queues
> #
> Cmnd_Alias PRINTING=/bin/cancel,\
> /usr/sbin/accept,\
> /usr/sbin/reject,\
> /usr/bin/enable,\
> /usr/bin/disable,\
> /usr/sbin/lpadmin,\
> /usr/sbin/lpmove,\
> /opt/hpnp/bin/jetadmin,\
> /usr/sbin/lpsched,\
> /usr/sbin/lpshut
> #
> # Shutdown and reboot commands
> #
> Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown
> Cmnd_Alias HALT=/usr/sbin/halt
> Cmnd_Alias REBOOT=/usr/sbin/reboot
> #
> # List of shells for disallowing root shells to users
> #
> Cmnd_Alias SHELLS=/bin/sh,\
> /bin/csh,\
> /bin/ksh,\
> /bin/rksh,\
> /opt/local/bin/bash,\
> /bin/bash,\
> /opt/local/bin/tcsh,\
> /bin/tcsh
> #
> # Restricting "su" prevents users becoming root by "su -" or "su - root"
> #
> Cmnd_Alias SU=/bin/su,\
> /usr/bin/su
> #
> # "vipw" and "/bin/passwd" edit the password file -- VERY DANGEROUS
> #
> Cmnd_Alias VIPW=/usr/ucb/vipw,/bin/passwd
> #
> # "ftp" should NOT be allowed as root -- handle with care
> #
> Cmnd_Alias FTP=/usr/bin/ftp
> #
> # The "ch" commands are here for users like the Webmaster, who need to change
> # ownership/permissions of files uploaded by other users
> #
> Cmnd_Alias CHFILES=/bin/chmod,/bin/chown,/bin/chgrp
> #
> # The "OROOT" alias allows the Oracle user to run the "root.sh" portion of
> # Oracle installation routines as root without requiring a SysAdmin to help
> # The "mount" and "unmount" allow the DBAs to mount Oracle CDs for install
> #
> Cmnd_Alias OROOT=/*/orainst/root.sh,\
> /cdrom/orainst/orainst
>
> Cmnd_Alias BEORACLE=/usr/bin/su - oracle
>
> Cmnd_Alias MNTCMDS=/sbin/mount,\
> /sbin/umount
>
> Cmnd_Alias WEBSRV=/opt/netscape/suitespot/restart-admin,\
> /opt/netscape/suitespot/start-admin,\
> /opt/netscape/suitespot/stop-admin,\
> /opt/netscape/suitespot/https-*/start,\
> /opt/netscape/suitespot/https-*/restart,\
> /opt/netscape/suitespot/https-*/stop,\
> /etc/init.d/owas-admin,\
> /etc/init.d/owas,\
> /opt/local/adm/webperm
> #
> # The "rcp" command for use by the DBA's to move file between domains
> #
> Cmnd_Alias RCP=/usr/bin/rcp
>
> #---------------------------------------------------------------------------
> # User specifications associate commands, users and privileges
> #---------------------------------------------------------------------------
> #
> # User specification
> #
>
> # root can run anything on any machine as any user
> root ALL=(ALL) ALL
>
> #***************************************************************************
> # Permissions for SysAdmin team -- allow on ALL machines
> #***************************************************************************
> FULLSA ALL=NOPASSWD:ALL,!/usr/bin/su - root,!/usr/bin/su -
>
>
> #***************************************************************************
> # Permissions for Oracle user -- allow on all Oracle machines
> # Oracle user can not "su" or run shells as root, but they can
> # mount/unmount CDs, run "root.sh" and chown/chgrp/chmod
> #***************************************************************************
> DBAS ALL=!SU,!SHELLS,CHFILES,OROOT,MNTCMDS,RCP
> #---------------------------------------------------------------------------
>
>
> Mark Almeida
This was just the thing I wanted, thanks a lot!
Tarjei
On Wed, 2003-08-13 at 17:52, The Wizard wrote:
> On Wednesday 13 August 2003 06:41, Tarjei Huse wrote:
> > Hi,
> >
> > Does anyone have some nice sudotricks to show off?
> >
> > I'd like to see some examples and tips that I might use for my own
> > setup. Also, what is needed in a users environment to be able to run
> > SuSE style rc<servername> scripts?
> >
> > Tarjei
>
> Tarjei -
> Have been using "sudo" for years, on many different *nix OSes. There are
> many ways to implement it; I like it because it logs all commands, and I can
> always go back and see what I did. Here's my sudoers file:
>
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
>
> #---------------------------------------------------------------------------
> # User aliases allow groups of users (like /etc/group) to be granted a
> # common set of "sudo" privileges
> #---------------------------------------------------------------------------
> #
> # User alias specification
> #
> # FULLSA is the System Admin team, including contractors
> #
> User_Alias FULLSA=markea
> #
> # OPERATOR are the system operators
> #
> User_Alias OPERATOR=bfb3,sxn7
> #
> # Oracle user is oracle on some machines, oracle7 on others
> #
> User_Alias DBAS=oracle,orahrprd,orahrvol,orahrtst,pshrprd,pshrvol,pshrtst
> #
> #---------------------------------------------------------------------------
> # Runas aliases allow one account to "run as" another
> #---------------------------------------------------------------------------
> #
> # Runas alias specification
> #
> Runas_Alias OP=root,operator
>
> #---------------------------------------------------------------------------
> # Command aliases allow privileges to be granted on a "per command" basis
> #---------------------------------------------------------------------------
> #
> # Cmnd alias specification
> #
> #
> # DUMPS grants access to command-line backup/restore tools
> #
> Cmnd_Alias DUMPS=/usr/sbin/dump, \
> /sbin/restore, \
> /usr/sbin/fbackup, \
> /sbin/frecover
> #
> Cmnd_Alias KILL=/usr/bin/kill
> #
> # PRINTING is the list of commands for managing printers/queues
> #
> Cmnd_Alias PRINTING=/bin/cancel,\
> /usr/sbin/accept,\
> /usr/sbin/reject,\
> /usr/bin/enable,\
> /usr/bin/disable,\
> /usr/sbin/lpadmin,\
> /usr/sbin/lpmove,\
> /opt/hpnp/bin/jetadmin,\
> /usr/sbin/lpsched,\
> /usr/sbin/lpshut
> #
> # Shutdown and reboot commands
> #
> Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown
> Cmnd_Alias HALT=/usr/sbin/halt
> Cmnd_Alias REBOOT=/usr/sbin/reboot
> #
> # List of shells for disallowing root shells to users
> #
> Cmnd_Alias SHELLS=/bin/sh,\
> /bin/csh,\
> /bin/ksh,\
> /bin/rksh,\
> /opt/local/bin/bash,\
> /bin/bash,\
> /opt/local/bin/tcsh,\
> /bin/tcsh
> #
> # Restricting "su" prevents users becoming root by "su -" or "su - root"
> #
> Cmnd_Alias SU=/bin/su,\
> /usr/bin/su
> #
> # "vipw" and "/bin/passwd" edit the password file -- VERY DANGEROUS
> #
> Cmnd_Alias VIPW=/usr/ucb/vipw,/bin/passwd
> #
> # "ftp" should NOT be allowed as root -- handle with care
> #
> Cmnd_Alias FTP=/usr/bin/ftp
> #
> # The "ch" commands are here for users like the Webmaster, who need to change
> # ownership/permissions of files uploaded by other users
> #
> Cmnd_Alias CHFILES=/bin/chmod,/bin/chown,/bin/chgrp
> #
> # The "OROOT" alias allows the Oracle user to run the "root.sh" portion of
> # Oracle installation routines as root without requiring a SysAdmin to help
> # The "mount" and "unmount" allow the DBAs to mount Oracle CDs for install
> #
> Cmnd_Alias OROOT=/*/orainst/root.sh,\
> /cdrom/orainst/orainst
>
> Cmnd_Alias BEORACLE=/usr/bin/su - oracle
>
> Cmnd_Alias MNTCMDS=/sbin/mount,\
> /sbin/umount
>
> Cmnd_Alias WEBSRV=/opt/netscape/suitespot/restart-admin,\
> /opt/netscape/suitespot/start-admin,\
> /opt/netscape/suitespot/stop-admin,\
> /opt/netscape/suitespot/https-*/start,\
> /opt/netscape/suitespot/https-*/restart,\
> /opt/netscape/suitespot/https-*/stop,\
> /etc/init.d/owas-admin,\
> /etc/init.d/owas,\
> /opt/local/adm/webperm
> #
> # The "rcp" command for use by the DBA's to move file between domains
> #
> Cmnd_Alias RCP=/usr/bin/rcp
>
> #---------------------------------------------------------------------------
> # User specifications associate commands, users and privileges
> #---------------------------------------------------------------------------
> #
> # User specification
> #
>
> # root can run anything on any machine as any user
> root ALL=(ALL) ALL
>
> #***************************************************************************
> # Permissions for SysAdmin team -- allow on ALL machines
> #***************************************************************************
> FULLSA ALL=NOPASSWD:ALL,!/usr/bin/su - root,!/usr/bin/su -
>
>
> #***************************************************************************
> # Permissions for Oracle user -- allow on all Oracle machines
> # Oracle user can not "su" or run shells as root, but they can
> # mount/unmount CDs, run "root.sh" and chown/chgrp/chmod
> #***************************************************************************
> DBAS ALL=!SU,!SHELLS,CHFILES,OROOT,MNTCMDS,RCP
> #---------------------------------------------------------------------------
>
>
> Mark Almeida
| < Previous | Next > |