1. 程式人生 > >怎樣使使用者擁有sudo的許可權:Add User to “sudoers” File(轉)

怎樣使使用者擁有sudo的許可權:Add User to “sudoers” File(轉)

Filed under: Linux, ubuntu — Tags: sudo, sudoers file — Benaiah @ 10:17 am

To give a user the ability to use the “sudo” command you must add them to the “sudoers” file.  Here’s how.

Thanks to ubuntucat (see comment below) for the following suggestion!  The easiest way to allow a user to sudo is to simply run the following command from the Terminal:

To open the Terminal:

Applications >> Accessories >> Terminal

Once the Terminal is open type:

sudo adduser username admin

This must be done from an account that already has sudo abilities or else from the root account.

If for some reason you have to manually edit the “sudoers” file keep reading!

Open the file “sudoers” located at /etc/sudoers using your favorite text editor.  You must have root permissions to be able to edit this file so you will want to open your editor from the command line.

To use gedit you would do the following:

Open the Terminal and type:

sudo gedit /etc/sudoers

If you want to use vim you can simply enter the following into the Terminal:

sudo visudo

Once you have the sudoers file open, scroll down to the line:

root   ALL = (ALL)    ALL

Add the folling line below the root line (replacing “user” with the name of the account you wish to give sudo access to)

user   ALL = (ALL)    ALL

Save and close the file.  The new user has now been added to the “sudoers” file and can use the “sudo” command.

另一篇:

 Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.

Debian’s sudo package has the password timeout set to 15 minutes. This means that when you first enter your password, as long as you don’t wait more than 15 minutes between sudo commands, you won’t have to enter it again. The password timeout can be immediately expired with sudo -k.

Debian’s sudo is compiled with

--with-exempt=sudo
--with-secure-path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:

As a consequence, the PATH of the user is ignored except if the user is in group sudo.

Installing SUDO in Debian

# apt-get install sudo

This will complete the installation of sudo.

SUDO Configuration file is /etc/sudoers

Default sudoers file looks like below

# /etc/sudoers
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

Only last line is valid now this means that the root user can run any command.

If you want to give perticular user to run any command use the following line in /etc/sudoers file

#vi /etc/sudoers

add the following line

user ALL=(ALL) ALL

here user means username

To run one command as root

sudo command

For more commands, run your shell with sudo.

sudo sh (if sh is your shell.)

Be careful when you are root. When you are done, type exit

SUDO Configuration examples

# User alias specification

User_Alias ADMINS = user1, user2, user3
User_Alias WEBMASTERS = user4, user5, user6

# command alias specification

Cmnd_Alias APACHE = /usr/local/sbin/kickapache
Cmnd_Alias TAIL = /usr/bin/tail

Cmnd_Alias SHUTDOWN = /sbin/shutdown

Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg

# privileges

ROOT ALL = (ALL) ALL
WEBMASTERS ALL = PASSWD : APACHE, TAIL
admin ALL = NOPASSWD : /etc/init.d/apache

Running Commands Using SUDO

To get a file listing of an unreadable directory

$sudo ls /usr/local/protected

To list the home directory of user test on a machine where the file system holding ~test is not exported as root

$sudo -u test ls ~test

To edit the index.html file as user www:data

$sudo -u www:data vi ~www/htdocs/index.html

To shutdown a machine:

$sudo shutdown -r +15 “quick reboot”

To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to

make the cd and file redi-rection work.

$sudo sh -c “cd /home ; du -s * | sort -rn > USAGE”

If you want more options about sudo check sudo man page

Using Rootsh with SUDO

One more nice tool to use with sudo is rootsh

Download and install rootsh

Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It’s main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.

Start a shell with logging of input/output. Rootsh must be started via sudo if you want to become root. It does not raise your privileges on it’s own. You can run rootsh as a standalone application if you only want to log your own user’s session. If you call rootsh with additional commands, these will be passed to the shell.

You can create an entry in /etc/sudoers file

trusted_user host_or_ALL = /bin/rootsh

Rootsh Syntax

rootsh [OPTION]… [--] [COMMANDS]

$sudo rootsh

User should see himself in a root shell, as if he typed “su -” or “sudo -s”.

Main advantage of this is, everything user types will be sent to syslog. So if he tries to access some secure files from the server you can catch him using the logfiles from your syslog server.

Rootsh Usage Examples

$sudo rootsh

Start a logged root shell

$sudo rootsh -u oracle

Start a logged shell in the context of user oracle.

$rootsh -f mysession.log --no-syslog

Start a new shell for your user id, write protocol into mysession.log, do not send anything to syslog. This is

identical to “script -f mysession.log”

$sudo rootsh -i -u oracle lsnrctl stop

Run command “lsnrctl stop” as user oracle. (this will call sh -c “lsnrctl stop”)

$sudo rootsh -i -u oracle -- ls -l

Run command “ls -l” as user oracle. (this will call sh -c “ls -l”)