Humble Trader

Monday, December 12, 2005

Enable users to run normally excluded stuff using sudo

+++ WARNING +++ WARNING +++ WARNING +++

This technique is used to RELAX security. Be sure that you understand the implications of what you are doing and who you are letting do it. It is possible to completely open your system up to an intruder with this facility.

+++ WARNING +++ WARNING +++ WARNING +++

Introduction:

This is a basic introduction to sudo. A better page is here.

Aim:

A base Linux install excludes some users from running certain powerful commands. This technique allows you, the sysadmin, to allow users things they would not normally be able to.

Requirements:

You need root access for this.

Procedure:

This specific example allows any user to mount a floppy disk. This should only be done in a fairly well controlled environment, and for very good reasons. I'm doing it because I am the only user on this system, my server (and so the floppy drive) is locked away from the public, and I tend to move things about on floppies while configuring Linux and Oracle.

root actions:
  • Log in as root and open Terminal.
  • Edit the /etc/sudoers file (NOTE: Do not, under any circumstances, edit this file directly - use this):
    • # visudo
    • Go to the bottom of the file.
    • Add a new line: ALL ALL=/bin/mount, /bin/umount
    • Save and exit.
user actions:
  • Log in as the user and open Terminal.
  • $ sudo -l
  • This responds with; Password: Enter your user password. (Note: You only need the password the first time you use sudo or after root has made changes.)
  • You see a list of commands that you can run under sudo, e.g.:
    • User Steve may run the following commands on this host:
    • (root) /bin/mount
    • (root) /bin/umount
  • Put in a floppy and type the following:
    • $ sudo mount -t vfat /dev/fd0 /media/floppy
      • The floppy icon appears on the desktop and you can access the disk.
    • $ sudo umount /media/floppy
      • The floppy icon disappears from the desktop.
Options:

sudo Entry
Description
ALL ALL=/bin/mount, /bin/umountALL users can run on ALL servers the commands /bin/mount and /bin/umount

posted by Cat Play Crew at 7:51 pm

0 Comments:

Post a Comment

<< Home