举例如何配置sudoers

 

本文为转帖，是在学习的时候搜索到的，现在收藏下，但是来源必须得标示出来：

http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html

 

The sudoers file located at: /etc/sudoers, contains the rules that users must follow when using the sudo command.

If you have ever used used Ubuntu, you know that the root account is disabled. This is because the root password is not set in Ubuntu, you can assign one and use it as with every other Linux distribution. That anyway is another story. On normal Ubuntu Linux computers you need to use sudo to act as root.

I like using sudo, I’m not using Ubuntu anymore. The first thing I do when I install a new Linux is to use visudo to edit the sudoers file. And I always give my account root rights, then I can run commands as root without switching users.

The best way to understand the sudo command, and the rules in sudoers file, the funny way is by this comics.

credit to: XKCD

As you can see from this funny picture, using sudo command, makes the system obey any given order.

The two best advantages about using sudo command are:

• Restricted privileges
• Logs of the actions taken by users

I’m sure you are now fully aware of the advantages of using sudo command in a daily basis, how to use it?

In order to use sudo you first need to configure the sudoers file. The sudoers file is located at /etc/sudoers. And you should not edit it directly, you need to use the visudo command.

Once you enter visudo command, you will see something like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

Almost all lines are commented out, the one that matters in this sudoers file example is:

root ALL=(ALL) ALL

This line means: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from where the user can use sudo command, the third part is which users he may act as, and the last one, is which commands he may run when using sudo.

sudoers examples

operator ALL= /sbin/poweroff

The above command, makes the user operator can from any terminal, run the command power off.

You can also create aliases for: users -> User_Alias, run commands as other users -> Runas_Alias, host -> Host_Alias and command -> Cmnd_Alias

User_Alias OPERATORS = joe, mike, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

As you can see the alias OPERATORS includes the users joe, mike and jude, the alias OP includes the users root and operator, alias OFNET includes the network 10.1.2.0 (all the C class), and the command alias PRINTING includes the commands lpc and lprm.

So, a typical sudoers file may look like this:

 User_Alias     OPERATORS = joe, mike, jude
 Runas_Alias    OP = root, operator
 Host_Alias     OFNET = 10.1.2.0/255.255.255.0
 Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm

OPERATORS ALL=ALL

#The users in the OPERATORS group can run any command from
 any terminal.

linus ALL=(OP) ALL

# The user linus can run any command from any terminal as any 
user in the OP group (root or operator).

user2 OFNET=(ALL) ALL

# user user2 may run any command from any machine in the 
OFNET network, as any user.

user3 ALL= PRINTING

# user user3 may run lpc and lprm from any machine.

go2linux ALL=(ALL) ALL

# user go2linux may run any command from any machine acting
 as any user. (like Ubuntu)

If you want not to be asked for a password use this form:

go2linux ALL=(ALL) NOPASSWD: ALL

You may want to read sudoers man page

Considering that you are still reading here a bonus:

visudo command uses vi as the editor here some tips to use it:

1. Switch to root, (su root), then run visudo, (as above).
2. Find where it says “root ALL=(ALL) ALL”.
3. Type “o” to insert a new line below it.
4. Now type what you want to insert, eg “username ALL=(ALL) ALL”.
5. Hit esc to exit insert-mode.
6. Type “:x” to save and exit.

Can I change the default visudo editor?

Yes, changing the default visudo editor is easy.

And just because of your dedication, and still reading until here, I’ll show you how to set nano or vim to use with visudo command as default editor.

Using vim with visudo

export VISUAL=vim; visudo

Using nano with visudo

export VISUAL=nano; visudo