If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages.
Excerpts from "man sudo"
sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file (the group vector is also initialized when the target user is not root). By default, sudo requires that users authenticate themselves with a password. sudo determines who is an authorized user by consulting the file /etc/sudoers. By giving sudo the -v flag a user can update the time stamp without running a command. The password prompt itself will also time out if the user's password is not entered within 5 minutes (unless overridden via sudoers).
A few examples to get aquainted with SUDO:
To get a file listing of an unreadable directory:$ sudo ls /etc/protected-dir
To edit the index.html file as user www:
$ sudo -u www vi ~www/htdocs/index.html
TRAP:
It becomes tricky sometime e.g.:
$ sudo echo 12000 > /proc/protected
This fails with "permission denied" because the file
is writable only by root. Here's how I did it:
echo "echo 12000 > /proc/protected" | sudo sh
No comments:
Post a Comment