Dit bericht verscheen eerder bij FOSSlife
The top of the sudoers file sets aliases for advanced configuration. Aliases can be used for such purposes as creating comma-separated lists of users or commands to simplify configuration. For example, if you want to restrict who can power off the system or network, add the following line to create the command alias SHUTDOWN:
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/reboot, /sbin/poweroff
Once the alias is defined, you can give users the right to run all three commands simply by referencing the SHUTDOWN alias. In the same way, you could define a group of users called ADMINS, all of whom can run the same commands.
Regardless of whether you specify aliases, you can assign privileges with single-line entries. Depending on the distribution, the assignment of various privileges may be organized by commented lines prefaced with the hash (#) symbol. Be sure that the lines that assign privilege are below the list of uncommented aliases.
The simplest form of privilege assignment is [NAME] ALL=ALL. For example, bb ALL=ALL allows user bb to run any command from any terminal.
More restrictively, the line could read as follows:
bb /sbin/halt, /sbin/shutdown, /sbin/reboot, /sbin/poweroff=ALL
Or, if the SHUTDOWN alias suggested above was defined at the top of the sudoers file, the line could be:
bb SHUTDOWN=ALL
The sudoers file can also contain fields to adjust other behaviors. The most useful fields are passwd_tries, which sets the number of attempts to log in to sudo; passwd_timeout, which sets the length of time that a login lasts; and editor, which sets the editors you can use with sudo. For a complete list of these fields, see the sudoers man page.
Avoiding Self-Sabotage
Like much of Linux, su and sudo can be as simple or as complex as you choose. Most popular uses of sudo, in particular, are extremely basic, and by copying them, you can quickly get up to speed. However, when you use su and sudo, be careful that you do not undermine their purpose. The entire point of both commands is to increase security by minimizing the time you run as root. Both commands can reduce your time as root to the bare minimum, but that doesn’t mean you can relax other precautions.
Specifically, avoid using su to become root and then keeping a terminal open and forgotten on some overlooked virtual workspace. Similarly, reduce the time that a successful sudo login lasts to the minimum. Consult system logs to ensure that the powerful su and sudo commands are only used for authorized activities. (Also see the box titled “The Administrator Sees Everything.”)
Dit bericht verscheen eerder bij FOSSlife