Thursday, May 08, 2008

Setting up sudo

su and sudo don't come setup out of the box with Debian Etch (for good reasons I guess) so I had to set it up myself. The way I want su and sudo to work is:

Let me run any command as root, but only when I supply the root password
Always prompt me to supply the root password. This is different from the default sudo behaviour.

The example sudoers files I dug up on the net were complex, but didn't really answer my query about how to run it as described above so after some digging and head-scratching this is the sudoers file I came up with (you only edit sudoers with the visudo command):

Defaults env_reset,runaspw,timestamp_timeout=0

# User privilege specification
root ALL=(ALL) ALL
myuser ALL=(root) ALL

The syntax for each line in sudoers is:
initialuser network = (targetuser) commands
The initialuser is the logged-in user who will be sudo'ing to the targetuser. In this case it's a user called myuser so replace that with the user you login as. By specifying ALL you're allowing the user to sudo on any network interface currently active. (root) means you want to run as the root user and ALL means you can run any command as root.

Thre are two important additions to the Defaults entry. runaspw indicates that you want to be prompted for the targetuser's password, not your own. timestamp_timeout=0 means that everytime you sudo you will have to provide the password; otherwise you will be allowed for a certain time to perform su without requiring the password prompt.

For a single machine with mostly a single user this is a useful sudoers setup. If I feel the need to add anything more useful I'll post it.

Links:
http://www.gratisoft.us/sudo/man/sudoers.html man page for sudoers
http://www.sudo.ws/sudo/sample.sudoers Example sudoers file

No comments:

Post a Comment