LabPrimer
Best practices for pocket research and development labs in informatics. Integrates agile industrial practices with ethnomethodology, interaction design, sense-making and more.
selected topics selected topics

related topics related topics
Guests are welcome to view our materials. To subscribe, edit, view raw markup, etc., you'll need to register for an account. Accounts are free (and will always be free) - your involvement helps us directly and indirectly (by demonstrating that our work matters to our funders...) StartingPoints has more info.
LabPrimer » ServerAdminGuidelines » ManagingUnix » ManagingSecurity

Use Sudo!

sudo is a system that (1) provides you with a log of everything you do as superuser, and (2) allows finer grained control over who can do what than simply putting trusted users into group wheel. Really, the only time you should ever use the su command to act as root is to setup sudo.

Getting started with sudo

We provide a crash course in setting up sudo , however, don't forget to RtFM as well, as it is your security that is on the line, not ours!!

The configuration file for sudo is /etc/sudoers. You have to use a special command, visudo, to edit /etc/sudoers . You can make visudo use your favorite editor (rather than vi ) by setting the environment variable EDITOR in your shell before invoking visudo , but that's properly the subject of another topic.

  1. Log in to your privileged administrator account (we're calling it rosta for sentimental reasons.) Enter 
    su
    at the prompt, followed by the root password to become the superuser. This is marginally better than logging in to the root account to work on your server...
  2. type visudo at the prompt. An editor will open with the default configuration of /etc/sudoers. Work your way down to the line below the comment that says "Allows people in group wheel to run all commands" (don't choose the one that says "Same thing without a password" - you can do that later, if you decide to configure SshD to disable password logins and opt for certificate or public-key logins instead.)
  3. make a copy of the existing line (much easier IMNSHO when scanning diff reports of configuration files later), then remove the comment # and space at the beginning of the line. Save your work. Log out and back in and check to be sure that you did things correctly by using sudo to acquire superuser privileges: 
    sudo -s
  4. Most of the time, you'll want to just prefix each command with sudo, as asking for superuser privileges is a dangerous habit.

Better use of sudo

It's really better not to just put folks in wheel and let them have full privileges. One of the wonderful things about sudo is it's ability to confer heightened privileges within a limited scope. So you can give privileges to mount and unmount media, but not other things, or to restart certain servers, for example.

see also ManagingSecurity

Login Register
selected tools selected tools
Reference Desk
r7 - 24 Apr 2009 - 20:13:10 - HilaryHolz
Guests are welcome to view our materials. To subscribe, edit, view raw markup, etc., you'll need to register for an account. Accounts are free (and will always be free) - your involvement helps us directly and indirectly (by demonstrating that our work matters to our funders...) StartingPoints has more info.
This site is powered by the TWiki collaboration platformCopyright 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Ahatwiki? Send feedback Syndicate this site RSSATOM