Initial Settings : Configure Sudo2023/12/15 |
Configure Sudo to separate users' duty if some people share privileges.
|
|
[1] | Install Sudo. |
root@dlp:~ # pkg install -y sudo |
[2] | Transfer all root privilege to a user. |
root@dlp:~ #
visudo # add to last line : user [freebsd] can use all root privilege # how to write ⇒ destination host=(owner) command freebsd ALL=(ALL:ALL) ALL # verify with user [freebsd] freebsd@dlp:~ $ ls -l /root
total 0
ls: /root: Permission denied
# denied
freebsd@dlp:~ $ sudo ls -l /root Password: # freebsd's password total 64 -rw-r--r-- 2 root wheel 1011 Nov 10 17:11 .cshrc -rw-r--r-- 1 root wheel 66 Nov 10 17:49 .k5login -rw-r--r-- 1 root wheel 316 Nov 10 17:11 .login -rw-r--r-- 2 root wheel 495 Nov 10 17:11 .profile -rw------- 1 root wheel 932 Dec 15 10:46 .sh_history -rw-r--r-- 1 root wheel 1174 Nov 10 17:11 .shrc -rw------- 1 root wheel 3233 Dec 15 10:45 .viminfo -rw------- 1 root wheel 564 Dec 15 10:41 mbox # possible executed |
[3] | In addition to the setting [1], set that some commands are not allowed. |
root@dlp:~ #
visudo # add alias for the kind of shutdown commands # Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init # add ( commands in alias [SHUTDOWN] are not allowed ) freebsd ALL=(ALL:ALL) ALL, !SHUTDOWN # verify with user [freebsd] freebsd@dlp:~ $ sudo /sbin/reboot Password: Sorry, user freebsd is not allowed to execute '/sbin/reboot' as root on dlp.srv.world. # denied as setting
|
[4] | Transfer some commands with root privilege to users in a group. |
root@dlp:~ #
visudo # add alias for the kind of user management commands # Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/pw, /usr/sbin/rmuser, \
/usr/bin/passwd
# add to last line
%usermgr ALL=(ALL:ALL) USERMGR
root@dlp:~ #
pw groupadd usermgr root@dlp:~ # pw groupmod usermgr -m freebsd
# verify with user [freebsd] freebsd@dlp:~ $ sudo /usr/sbin/pw useradd testuser freebsd@dlp:~ $ freebsd@dlp:~ $ sudo /usr/bin/passwd testuser Changing local password for testuser New Password: Retype New Password: # possible executed
|
[5] | Transfer some specific commands with root privilege to a user. |
root@dlp:~ #
visudo # add to last line : set specific commands to each user openbsd ALL=(ALL:ALL) /usr/local/sbin/visudo dragonfly ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/pw, /usr/sbin/rmuser, \ /usr/bin/passwd linux ALL=(ALL:ALL) /usr/bin/vi # verify with user [openbsd] openbsd@dlp:~ $ sudo /usr/local/sbin/visudo
# possible open and edit ## sudoers file. ## # verify with user [dragonfly] dragonfly@dlp:~ $ sudo /usr/sbin/pw userdel testuser -r
dragonfly@dlp:~ $
# possible executed
# verify with user [linux]
linux@dlp:~ $
sudo /usr/bin/vi /root/.profile
# possible open and edit # HOME=/root export HOME ..... ..... |
[6] | Sudo logs are recorded in [/var/log/auth.log] by default, but if you want to record only sudo logs in a separate file, configure as follows. |
root@dlp:~ #
visudo # add to last line Defaults syslog=local1
root@localhost:~#
vi /etc/syslog.conf # line 10, 11 : add local1.* /var/log/sudo.log auth.info;authpriv.info;local1.none /var/log/auth.logroot@dlp:~ # touch /var/log/sudo.log root@dlp:~ # chmod 600 /var/log/sudo.log root@dlp:~ # service syslogd reload
|
Sponsored Link |