Sudo and passwords configuration: Difference between revisions
Jump to navigation
Jump to search
m (Elvanor moved page Sudo configuration to Sudo and passwords configuration without leaving a redirect) |
mNo edit summary |
||
| Line 1: | Line 1: | ||
= Concepts = | = Sudo = | ||
== Concepts == | |||
* With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password. | * With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password. | ||
| Line 5: | Line 7: | ||
* You can also run a command as a different group with the -g flag. This is only available since sudo-1.7.0. | * You can also run a command as a different group with the -g flag. This is only available since sudo-1.7.0. | ||
= Main configuration file = | == Main configuration file == | ||
* The configuration is done via /etc/sudoers. | * The configuration is done via /etc/sudoers. | ||
| Line 18: | Line 20: | ||
%shoopz ALL = (:shoopz) NOPASSWD: /usr/local/bin/unison | %shoopz ALL = (:shoopz) NOPASSWD: /usr/local/bin/unison | ||
= Environment variables = | == Environment variables == | ||
* Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates. | * Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates. | ||
= Passwords = | |||
* Using passwd will prevent you to choose a "weak" password by default on Gentoo. Change the /etc/security/passwdqc.conf file (with enforce=none line) to be able to circumvent this constraint. | |||
Latest revision as of 20:25, 11 July 2023
Sudo
Concepts
- With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password.
- If you wish to run a command as a different user (if you are root for example, and wish to launch as tomcat), pass the -u user parameter to sudo.
- You can also run a command as a different group with the -g flag. This is only available since sudo-1.7.0.
Main configuration file
- The configuration is done via /etc/sudoers.
- A single line looks like:
elvanor ALL = (tomcat) NOPASSWD: /usr/bin/gimp-console, /usr/bin/convert
This would mean that the user elvanor may run, as the user tomcat, the commands gimp-console and convert on any host (the first ALL represent the hosts). He won't be asked for a password.
- To configure the groups that the command may be run as, you need to add a second list after a semi-colon in the proper place, like this:
%shoopz ALL = (:shoopz) NOPASSWD: /usr/local/bin/unison
Environment variables
- Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates.
Passwords
- Using passwd will prevent you to choose a "weak" password by default on Gentoo. Change the /etc/security/passwdqc.conf file (with enforce=none line) to be able to circumvent this constraint.