Page 214 - DCAP602_NETWORK_OPERATING_SYSTEMS_I
P. 214
Network Operating Systems-I
notes Notice also that the lack of any username entries within parentheses () after the = sign prevents
the users from running the commands automatically masquerading as another user. This is
explained further in the next example.
Granting Access to Specific Files as Another User
The sudo -u entry allows allows you to execute a command as if you were another user, but first
you have to be granted this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes need to kill processes related
to projects they are working on. For example, programmer peter is on the team developing a
financial package that runs a program called monthend as user accounts. From time to time the
application fails, requiring “peter” to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill
commands but only as user “accounts”. The sudoers entry would look like this:
peter ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill
User peter is allowed to stop the monthend process with this command:
[peter@bigboy peter]# sudo -u accounts pkill monthend
granting access without needing passwords
This example allows all users in the group operator to execute all the commands in the /sbin
directory without the need for entering a password. This has the added advantage of being more
convenient to the user:
%operator ALL= NOPASSWD: /sbin/
using aliases in the sudoers file
Sometimes you’ll need to assign random groupings of users from various departments very
similar sets of privileges. The sudoers file allows users to be grouped according to function with
the group and then being assigned a nickname or alias which is used throughout the rest of the
file. Groupings of commands can also be assigned aliases too.
In the next example, users peter, bob and bunny and all the users in the operator group are
made part of the user alias ADMINS. All the command shell programs are then assigned to the
command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS
commands and su:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
/usr/bin/ksh, /usr/local/bin/tcsh, \
/usr/bin/rsh, /usr/local/bin/zsh
User_Alias ADMINS = peter, bob, bunny, %operator
ADMINS ALL = !/usr/bin/su, !SHELLS
This attempts to ensure that users don’t permanently su to become root, or enter command shells
that bypass sudo’s command logging. It doesn’t prevent them from copying the files to other
locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions
can be enforced only as part of the company’s overall security policy.
208 LoveLy professionaL university
