Differences between revisions 20 and 21
Revision 20 as of 2010-10-05 02:22:18
Size: 5991
Editor: ?solca
Comment:
Revision 21 as of 2010-10-06 18:48:05
Size: 6003
Comment: grammar
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
Strictly speaking, {{{sudo}}} is installed and enabled (if you installed the Desktop task during the installation). However no rights are granted by default in Debian (as opposed to some others distributions). Strictly speaking, {{{sudo}}} is installed and enabled (if you installed the Desktop task during the installation). However no rights are granted by default in Debian (as opposed to some other distributions).
Line 18: Line 18:
(Note: DebianTesting (Squeeze): will introduced a similar tool, [[PolicyKit]], targeted for Desktop/Laptop needs). (Note: DebianTesting (Squeeze): introduced a similar tool, [[PolicyKit]], targeted for Desktop/Laptop needs).
Line 23: Line 23:
 * One don't need root password (sudo prompt for the current user's password).
 * By default, commands are executed as the current user (i.e unprivileged), which avoids mistake. only command prefixed by {{{sudo}}} are executed as root.
 * One does not need the root password (sudo prompt for the current user's password).
 * By default, commands are executed as the current user (i.e unprivileged), which avoids mistakes by having only commands prefixed by {{{sudo}}}, executed as root.
Line 27: Line 27:
For the reasons above, ''switching'' to root using "sudo -i" (or sudo su) is usually deprecated because cancels the above features. For the reasons above, ''switching'' to root using "sudo -i" (or sudo su) is usually deprecated because it cancels the above features.

Translation(s): English - Italiano

(!) ?Discussion


root > sudo


Sudo is a program designed to let system administrators allow some users to execute some commands as root (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log root activities: who sudo which command, and when.

Sudo isn't enabled by default on Debian

Strictly speaking, sudo is installed and enabled (if you installed the Desktop task during the installation). However no rights are granted by default in Debian (as opposed to some other distributions).

How to execute a command as root: (in a default Debian installation)

  • When you installed the system, you chose a password for the root account.

  • Gnome prompts for that password (for the Administrative account) when you launch a program that configures the system.

  • To execute a command as root, open a terminal as root (Applications > Accessories > Root Terminal), or run su from a regular terminal.

(Note: DebianTesting (Squeeze): introduced a similar tool, PolicyKit, targeted for Desktop/Laptop needs).

Why sudo

Using sudo is better (safer) than opening a session as root, especially for the following reasons:

  • One does not need the root password (sudo prompt for the current user's password).
  • By default, commands are executed as the current user (i.e unprivileged), which avoids mistakes by having only commands prefixed by sudo, executed as root.

  • Auditing/logging: when a sudo command is executed, the original username and the command are logged.

For the reasons above, switching to root using "sudo -i" (or sudo su) is usually deprecated because it cancels the above features.

Configuration overview

Now, if you want to allow certain users to execute certain programs, here's a quick example (for more information, read the fine manual).

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification
User_Alias      MYADMINS = jdoe

# User alias specification

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
Cmnd_Alias      PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude

# User privilege specification

# Users listed above (MYADMINS) can run package managers and reboot the system.
MYADMINS ALL = PKGMGMT, SHUTDOWN

# Users in the group wheel can execute any command impersonating any user.
#%wheel ALL= ALL

#Default rule for root.
root    ALL=(ALL) ALL

Troubles and tweaks

Sorry, user jdoe is not allowed to execute ...

A typical session goes like this:

  • $sudo test
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for jdoe: 
    Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.

This messages typically means that the user isn't allowed to execute the action.

sudoers is read-only

Yes, the file /etc/sudoers is set read-only, even for root!

The is because, one must use the command visudo to edit /etc/sudoers.

CVE-2005-4158

With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do.

  • sudo (1.6.8p7-1.3) stable-security; urgency=high
    • Non-maintainer upload by the Security Team
    • Reverse the environment semantic by forcing users to maintain a whitelist [env.c, Bug 342948, CVE-2005-4158]

As a result, unless you modify your sudoers file to contain Defaults env_reset, you may experience problems using sudo like the following:

  • E138: Can’t write viminfo file $HOME/.viminfo!
  • dircolors: no SHELL environment variable, and no shell type option given
  • squidview: can't get your home directory, exiting

If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible.

Bug: 342948

PASSWD option not working

sudo has a flag called exempt_group which contains a list of groups for which always NOPASSWD is true and setting PASSWD has no effect. On Debian Systems this list consists of the group sudo.

Wrong HOME (and profile settings) behavior

If you are having problems when you sudo to your shell and your HOME (and profile settings) doesn't work as expected because your new HOME is root's homedir you must know that sudo since upstream version 1.7.4 (Debian Squeeze/Sid after Sep/2010) resets all environmental variables in it's new default configuration, to restore the old behavior of reading the users HOME dir you may preserve the HOME environment variable by adding this to your /etc/sudoers configuration file:

Defaults env_keep += HOME

For more info read the upstream list of changes for version 1.7.4

See also