Wednesday, July 28, 2010

Sudo


sudo cmd   # run a specific command as root
sudo -u svc-acct -H  bash # become a specific user (-u), setting home dir (-H)
# and run the specific shell as command
# simple sudoers file to allow specific users to become root.
# minimal fuss :)
User_Alias SUPERUSERS = sa admin toor
SUPERUSERS      ALL=(ALL) ALL
# User privilege specification
root     ALL=(ALL) ALL
tinh            ALL=(ALL) ALL  # could have placed this user in alias section also
# sudoers eg (2)
# simple file that enable apache/oracle to start as root
# User alias specification
User_Alias      APACHE = applmgr
# Cmnd alias specification
Cmnd_Alias      HTTP_CMD = /u01/applmgr/ORADEVcomn/admin/scripts/ORADEV_oadevapp1/adapcctl.sh, \
/u01/applmgr/ORADEVora/iAS/Apache/Apache/bin/apachectl,  \
/u01/applmgr/ORADEVora/iAS/Apache/Apache/bin/httpd
Cmnd_Alias      TEST_CMD = /usr/bin/cat, /usr/bin/echo
APACHE  ALL = NOPASSWD: HTTP_CMD, TEST_CMD
# longer sudoers eg, (probably for the older version of sudo)
# http://www.courtesan.com/sudo/man/sudoers.html#examples
#
# User alias specification
User_Alias     REAL_ADMIN = tho, joycec, hhuynh
User_Alias     PSEUDO_ADMIN = jmedlin, terry
User_Alias     HELPDESK = wtang, sa
User_Alias     WEBMASTERS = lonly
Runas_Alias    OP = root, operatora
Runas_Alias    DB = oracle, sybase
# Host alias specification
Host_Alias     SPARC = its01, ges-sun2, trout :\
HPUX  = cod, riptide :\
AIX   = brine, chicklet :\
LINUX = toolbox, ldap09 :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias     VLAN28 = 172.27.28.0/255.255.255.0
Host_Alias     CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias     SERVERS = master, mail, www, ns
Host_Alias     CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias     KILL = /usr/bin/kill
Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias     HALT = /usr/sbin/halt
Cmnd_Alias     REBOOT = /usr/sbin/reboot
Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias     SU = /usr/bin/su
Cmnd_Alias     TEST = /bin/cat
# User privilege specification
# %group indicate /etc/group
root           ALL = (ALL) ALL
%briosa        ALL = (ALL) ALL
%puser         localhost=/sbin/shutdown -h now
# CAPS are group defined here in sudoers file
REAL_ADMIN     ALL = NOPASSWD: ALL
PSEUDO_ADMIN   ALL = ALL
HELPDESK       ALL = KILL, DUMPS, /bin/ls, /bin/cat
babuv          VLAN28 = ALL
#operatora      ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
#               sudoedit /etc/printcap, /usr/oper/bin/
joe            ALL = /usr/bin/su operatora
bob            SPARC = (OP) ALL : SGI = (OP) ALL
# +netgroup membership (host or username)
jim            +biglab = ALL
+secretaries   ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www
ALL            CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM, \
/sbin/mount  /cdrom, \
/sbin/umount /cdrom, \
/sbin/mount  /mnt/cdrom, \
/sbin/umount /mnt/cdrom 
# end