Chapter 4. Workstation Security
39
Next open the PAM configuration file for
su
,
/etc/pam.d/su
, in a text editor and remove the com
ment [#] from the following line:
auth
required /lib/security/pam_wheel.so use_uid
Doing this will permit only members of the administrative group
wheel
to use the program.
Note
The root user is part of the wheel group by default.
4.4.3.2. The
sudo
Command
The
sudo
command offers another approach for giving trusted users administrative access. When
a trusted user precedes an administrative command with
sudo
, he is prompted for his password.
Then, once authenticated and assuming that the command is permitted, the administrative command
is executed as if by the root user.
The basic format of the
sudo
command is as follows:
sudo command
In the above example, command would be replaces by a command normally reserved for the root
user, such as
mount
.
Important
Users of the sudo command should take extra care to log out when they walk away from their machine
since sudoers can use the command again without being asked for a password until a five minute
period has passed. This setting can be altered via the configuration file, /etc/sudoers.
The
sudo
command allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoers
configuration file are allowed to use the
sudo
command and the command is executed
in their shell, not root's. This means the root shell can be completely disabled, as shown in Section
4.4.2.1.
The
sudo
command also provides a comprehensive audit trail. Each successful authentication is
logged to the file
/var/log/messages
and command that was issued along with the issuer's user
name is logged to the file
/var/log/secure
.
Another advantage of the
sudo
command is that an administrator can allow different users access to
specific commands based on their needs.
All commands executed via
sudo
are recorded in the
/var/log/secure
file, as well as all attempts
to use the
sudo
command.
Administrators wanting to edit the
sudo
configuration file,
/etc/sudoers
, should use the
visudo
.
To give someone full administrative privileges, type
visudo
and add a line similar to the following in
the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user,
juan
, can use
sudo
from any host and execute any command.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved