[ale] sudo tricks and hints

JD jdp at algoloma.com
Thu Aug 14 11:11:07 EDT 2014 

+1 - The manpage for "sudoers" is awesome. That tool can be used for all sorts
of cool things. I've done completely amazing things, per user, per group, per
machine with it. You can control which programs, the options to those programs
and which users can use each option.

I don't know how to dynamically change the permissions for a userid. Sorry. That
is NOT one of the things that sudo/suders has built-in.  Perhaps using 2
different userids would be a workaround?

On 08/14/2014 08:42 AM, Lightner, Jeff wrote:
> The reason the sudoers file exist IS to be "tinkered" with as necessary.
> 
> Use "visudo" to edit it though - that has a syntax checker built into it.  It also saves a copy of the original so you can go back to it if necessary.
> 
> The main thing is to make sure you are restricting things.   If you're allowing access to scripts especially make sure those are in a location and have permissions so that only root can modify them.   It would be way to easy to add "bash" to the end of a script to make it give you a shell prompt as root.    Similarly don't ever give things like "sudo vi" as vi/vim can escape to the shell.
> 
> Also although sudo itself runs as root remember that some things do NOT need to run as root so making sure you give access to other generic/admin setups might be the way to go.   (e.g. tell it to run the command as mysql user if what you're doing is mysql).
> 
> 
> 
> 
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Narahari 'n' Savitha
> Sent: Wednesday, August 13, 2014 6:48 PM
> To: Atlanta Linux Enthusiasts - Yes! We run Linux!
> Subject: [ale] sudo tricks and hints
> 
> Friends:
> 
> I am trying to use sudo effectively.  The scenario is I have a box where I can get super powers for the duration of a script running.  It works ok but what I am found is that I can put a <userid> in the sudoers file with permission to run any script(s) from a given folder.  But that requires me to mod the sudoers file.  Is there any other mechanism that I can get granted the superpowers for a brief while and then taken away from me.  I really don't like tinkering with sudoers file.
> 
> -S

More information about the Ale mailing list