- User Accounts and Permissions
- Who Needs What? Managing Groups
- Passwords: The First Line of Security
- Monitoring User Activity
- Letting Mortals Play at Wizardry: SuperUsers
- References
This chapter is from the book
This chapter is from the book
This chapter is from the book
Letting Mortals Play at Wizardry: SuperUsers
It has been said here frequently that it is generally a bad idea to log in as Root and do work. Too much damage can be done, and if you're connected to the Internet, you can actually lose control of your system to an attacker. Nonetheless, there are tasks and operations that can be done only by Root, and you may find yourself needing to be Root on a daily basis. Fortunately, there is a built-in solution to this problem: becoming the SuperUser.
There are two ways to perform Root tasks while being logged in as a generic user. The su command allows anyone with the Root password to become Root. In a larger system, Root can also assign specific tasks to users without handing out the Root password by implementing the sudo command.
Changing User Identity with su
When you run YaST to make changes in your configuration, you are first asked for the Root password. You have just used su to become Root.
Whether the task is installing software, troubleshooting problems, or handling some other system-related issue, you will need this command sooner or later.
To run su from the shell prompt, use this syntax:
su <option> <username> <arguments>
Typing su by itself means you want to log in as Root, and you'll be prompted for the Root password. You'll also retain your own environment settings. To gain Root's environment, type su -.
To run a single Root command from the shell and return to your user prompt, use the -c switch. Try something like this:
su root -c chmod 600 /etc/shadow
When you have completed your Root tasks, type exit to return to your user prompt.
Using sudo to Grant Root Privileges
When you're the system administrator of a large system with lots of users, you don't want to give out the Root password to everyone who wants to install software on his or her computer. You can solve this problem with SuperUser Do, or sudo.
You configure sudo by editing /etc/sudoers with the special visudo editor. As you might guess, visudo is a version of vi made for use with this file. It checks for parsing errors in your edits, so you should definitely use this, rather than your regular editor (even if you normally work with vi). You may want to return to the vi section of Chapter 5 to review some of the commands if you are not familiar with this editor.
Run su to log in as Root before running visudo. To begin, run visudo with no arguments; that is:
visudo
The default /etc/sudoers file appears in the shell, looking something like this:
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults targetpw # ask for the password of the target user i.e. root %users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! # User privilege specification # You should not use sudo as root in an SELinux environment # If you use SELinux, remove the following line root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Before editing sudoers, you may want to review the man pages for both sudoers and visudo (sudo itself has a man page as well) for instructions on how to use these files.
Feel free to uncomment any of the default lines to activate them. Instead of editing the default lines, you should add new lines (with a comment to document what you want to do). The basic format of a sudoers line is this:
<user> <host_computer>=<command>
The user can also be a group; so, for example, to grant permission to the Writers group to run YaST Online Update, add this line:
writers ALL=/sbin/yast2
To grant the Writers group this same permission without having to enter a password, add this line:
writers ALL=/sbin/yast2 NOPASSWD: ALL
When you're finished editing, type :q to save changes and return to the shell prompt. Type exit to return to your user prompt.
Once configured, sudo is very easy to use. Anyone in the Writers group should now be able to type this command to run YaST:
sudo /sbin/yast2
Depending on how you set it, writers may be prompted for their own user password to confirm membership in the group.