Sudo and passwords configuration: Difference between revisions

From Elvanör's Technical Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
== Concepts ==
= Concepts =


* With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password.
* With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password.
* If you wish to run a command as a different user (if you are root for example, and wish to launch as tomcat), pass the -u user parameter to sudo.
* If you wish to run a command as a different user (if you are root for example, and wish to launch as tomcat), pass the -u user parameter to sudo.
* You can also run a command as a different group with the -g flag. This is only available since sudo-1.7.0.


== Main configuration file ==
= Main configuration file =


* The configuration is done via /etc/sudoers.
* The configuration is done via /etc/sudoers.
Line 13: Line 14:
This would mean that the user elvanor may run, as the user tomcat, the commands gimp-console and convert on any host (the first ALL represent the hosts). He won't be asked for a password.
This would mean that the user elvanor may run, as the user tomcat, the commands gimp-console and convert on any host (the first ALL represent the hosts). He won't be asked for a password.


== Environment variables ==
* To configure the groups that the command may be run as, you need to add a second list after a semi-colon in the proper place, like this:
 
%shoopz ALL = (:shoopz) NOPASSWD: /usr/local/bin/unison
 
= Environment variables =


* Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates.
* Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates.

Revision as of 17:42, 27 February 2009

Concepts

  • With sudo you can specify which users may run which commands on a given host, and as a given user. You can configure sudo so that it does, or does not, prompt for a password.
  • If you wish to run a command as a different user (if you are root for example, and wish to launch as tomcat), pass the -u user parameter to sudo.
  • You can also run a command as a different group with the -g flag. This is only available since sudo-1.7.0.

Main configuration file

  • The configuration is done via /etc/sudoers.
  • A single line looks like:
elvanor ALL = (tomcat) NOPASSWD: /usr/bin/gimp-console, /usr/bin/convert

This would mean that the user elvanor may run, as the user tomcat, the commands gimp-console and convert on any host (the first ALL represent the hosts). He won't be asked for a password.

  • To configure the groups that the command may be run as, you need to add a second list after a semi-colon in the proper place, like this:
%shoopz ALL = (:shoopz) NOPASSWD: /usr/local/bin/unison

Environment variables

  • Normally, sudo passes to the processes it creates a clean environment (eg, no environment variables from the parent shell). However this behavior can be modified via some flags (env_reset, env_keep etc). env_keep is specially interesting as it allows a specified environment variable to be passed to the process sudo creates.