Today I'll detail the steps needed to install and configure sudo on FreeBSD from a desktop/workstation perspective, in other words I'll dwell more on less on the common user.
Let's start by install the application and then proceed to configure the sudoers file with visudo:
- % su
- # cd /usr/ports/security/sudo ; make install clean
- # visudo /usr/local/etc/sudoers
%wheel ALL=(ALL) ALLBy enabing this line, users in wheel group will have full root privileges on the computer by providing their password in order to use administrative commands.
If you wish that users in the wheel to acquire these privileges without using a password then uncomment the next line instead:
%wheel ALL=(ALL) NOPASSWD: ALLsudo can also be used to allow more restrictive usage, for instance to allow the user freebsduser to mount and unmount /cdrom the following line could be added to /usr/local/etc/sudoers:
freebsduser ALL=/sbin/mount /cdrom,/sbin/umount /cdromTo allow members of the users group shutdown the computer add the following to the sudoers file:
%users localhost=/sbin/shutdown -h nowAdd the following line to let user freebsduser access all privileges without entering password:
freebsduser ALL=(ALL) NOPASSWD: ALLAfter editing the sudoers file you'll need to issue a :w! command in visudo as the file is read-only. To use sudo just prefix sudo before the command with specific privileges. For the %wheel ALL=(ALL) ALL example, if you are in the wheel group and want to shutdown the computer you'd type:
# sudo shutdown -h nowAnd insert your passoword.
Once you enter a correct password, sudo records the time and for the next 5 minutes
Every use of sudo is logged in /var/log/messages, so do take a look and check for yourself.
I've only touched the tip of the iceberg on sudo so do take a look at its man page.
5 comments:
Command to add an existing user ("userlogin") to the wheel group:
$ pw group mod wheel -m userlogin
(Run as root)
Stephan
And...?
I fail to see the relevance of your comment taking into account the the post's goal.
The post focus was on using sudo as an administrative tool instead of just blindly adding users to wheel.
Very helpful article. It provided a lot of insight into setting up sudo, much more than the text book I'm currently reading. I was wondering why I was still getting prompted for the root account password after setting up sudo for a regular user account to view the /var/log/messages file. Turns out after uncommenting the following wheel line the regular user account can now view the file that has root level only access (/var/log/messages) without being promted for a password.
# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
Thanks for posting
Most systems have some way of letting ordinary users perform certain tasks as root or some other privileged user. SCO Open Server has "asroot" and can also directly assign "authorizations" such as backup privileges or being able to change other user's passwords. SCO Unixware/Open Unix 8 have a similar facility in "tfadmin".
Many other Unixes, and Linux, use "sudo".
The configuration of sudo is by the /etc/sudoers file. I'm sure that there are more poorly written man pages, but "man sudoers" is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn't all that bad though.
Recently I just came across a good article on "Linux"
Here is its link.
Thank you. Very helpful!
Post a Comment