Re: [SLE] sudoers file
From: The Wizard (markea_at_earthlink.net)
Date: 08/13/03
- Previous message: Filipe Joel Almeida: "RE: [SLE] Terminal services"
- In reply to: Tarjei Huse: "[SLE] sudoers file"
- Next in thread: Tarjei Huse: "Re: [SLE] sudoers file"
- Reply: Tarjei Huse: "Re: [SLE] sudoers file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: tarjei+a_lists.suse@nu.no, SLE <suse-linux-e@suse.com> Date: Wed, 13 Aug 2003 08:52:20 -0700
On Wednesday 13 August 2003 06:41, Tarjei Huse wrote:
> Hi,
>
> Does anyone have some nice sudotricks to show off?
>
> I'd like to see some examples and tips that I might use for my own
> setup. Also, what is needed in a users environment to be able to run
> SuSE style rc<servername> scripts?
>
> Tarjei
Tarjei -
Have been using "sudo" for years, on many different *nix OSes. There are
many ways to implement it; I like it because it logs all commands, and I can
always go back and see what I did. Here's my sudoers file:
#
# This file MUST be edited with the 'visudo' command as root.
#
#---------------------------------------------------------------------------
# User aliases allow groups of users (like /etc/group) to be granted a
# common set of "sudo" privileges
#---------------------------------------------------------------------------
#
# User alias specification
#
# FULLSA is the System Admin team, including contractors
#
User_Alias FULLSA=markea
#
# OPERATOR are the system operators
#
User_Alias OPERATOR=bfb3,sxn7
#
# Oracle user is oracle on some machines, oracle7 on others
#
User_Alias DBAS=oracle,orahrprd,orahrvol,orahrtst,pshrprd,pshrvol,pshrtst
#
#---------------------------------------------------------------------------
# Runas aliases allow one account to "run as" another
#---------------------------------------------------------------------------
#
# Runas alias specification
#
Runas_Alias OP=root,operator
#---------------------------------------------------------------------------
# Command aliases allow privileges to be granted on a "per command" basis
#---------------------------------------------------------------------------
#
# Cmnd alias specification
#
#
# DUMPS grants access to command-line backup/restore tools
#
Cmnd_Alias DUMPS=/usr/sbin/dump, \
/sbin/restore, \
/usr/sbin/fbackup, \
/sbin/frecover
#
Cmnd_Alias KILL=/usr/bin/kill
#
# PRINTING is the list of commands for managing printers/queues
#
Cmnd_Alias PRINTING=/bin/cancel,\
/usr/sbin/accept,\
/usr/sbin/reject,\
/usr/bin/enable,\
/usr/bin/disable,\
/usr/sbin/lpadmin,\
/usr/sbin/lpmove,\
/opt/hpnp/bin/jetadmin,\
/usr/sbin/lpsched,\
/usr/sbin/lpshut
#
# Shutdown and reboot commands
#
Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown
Cmnd_Alias HALT=/usr/sbin/halt
Cmnd_Alias REBOOT=/usr/sbin/reboot
#
# List of shells for disallowing root shells to users
#
Cmnd_Alias SHELLS=/bin/sh,\
/bin/csh,\
/bin/ksh,\
/bin/rksh,\
/opt/local/bin/bash,\
/bin/bash,\
/opt/local/bin/tcsh,\
/bin/tcsh
#
# Restricting "su" prevents users becoming root by "su -" or "su - root"
#
Cmnd_Alias SU=/bin/su,\
/usr/bin/su
#
# "vipw" and "/bin/passwd" edit the password file -- VERY DANGEROUS
#
Cmnd_Alias VIPW=/usr/ucb/vipw,/bin/passwd
#
# "ftp" should NOT be allowed as root -- handle with care
#
Cmnd_Alias FTP=/usr/bin/ftp
#
# The "ch" commands are here for users like the Webmaster, who need to change
# ownership/permissions of files uploaded by other users
#
Cmnd_Alias CHFILES=/bin/chmod,/bin/chown,/bin/chgrp
#
# The "OROOT" alias allows the Oracle user to run the "root.sh" portion of
# Oracle installation routines as root without requiring a SysAdmin to help
# The "mount" and "unmount" allow the DBAs to mount Oracle CDs for install
#
Cmnd_Alias OROOT=/*/orainst/root.sh,\
/cdrom/orainst/orainst
Cmnd_Alias BEORACLE=/usr/bin/su - oracle
Cmnd_Alias MNTCMDS=/sbin/mount,\
/sbin/umount
Cmnd_Alias WEBSRV=/opt/netscape/suitespot/restart-admin,\
/opt/netscape/suitespot/start-admin,\
/opt/netscape/suitespot/stop-admin,\
/opt/netscape/suitespot/https-*/start,\
/opt/netscape/suitespot/https-*/restart,\
/opt/netscape/suitespot/https-*/stop,\
/etc/init.d/owas-admin,\
/etc/init.d/owas,\
/opt/local/adm/webperm
#
# The "rcp" command for use by the DBA's to move file between domains
#
Cmnd_Alias RCP=/usr/bin/rcp
#---------------------------------------------------------------------------
# User specifications associate commands, users and privileges
#---------------------------------------------------------------------------
#
# User specification
#
# root can run anything on any machine as any user
root ALL=(ALL) ALL
#***************************************************************************
# Permissions for SysAdmin team -- allow on ALL machines
#***************************************************************************
FULLSA ALL=NOPASSWD:ALL,!/usr/bin/su - root,!/usr/bin/su -
#***************************************************************************
# Permissions for Oracle user -- allow on all Oracle machines
# Oracle user can not "su" or run shells as root, but they can
# mount/unmount CDs, run "root.sh" and chown/chgrp/chmod
#***************************************************************************
DBAS ALL=!SU,!SHELLS,CHFILES,OROOT,MNTCMDS,RCP
#---------------------------------------------------------------------------
Mark Almeida
-- Powered by SuSE Linux Pro 8.2/Kmail 1.5.3 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Filipe Joel Almeida: "RE: [SLE] Terminal services"
- In reply to: Tarjei Huse: "[SLE] sudoers file"
- Next in thread: Tarjei Huse: "Re: [SLE] sudoers file"
- Reply: Tarjei Huse: "Re: [SLE] sudoers file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
