Embedded Files
Version
Version
sudo --version
Usage
Usage
sudo -l
Shows what commands you can run
Matching Defaults entries for myuser on myserver: logfile=/var/log/sudo.log, !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=CONTROL_ROOT, env_keep+=http_proxy, env_keep+=https_proxy, env_keep+=ORACLE_HOME, env_keep+=TNS_ADMIN, env_keep+=DST_REPO_CPAN
User myuser may run the following commands on myserver: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: /bin/vi /etc/my.cnf, /bin/mkdir *, /bin/systemctl enable *, /bin/systemctl disable *, /bin/systemctl status *, /bin/systemctl stop *, /bin/systemctl start *, /bin/journalctl -xe, /usr/bin/mysql * *, /bin/cat *, /bin/zcat *, /usr/bin/mysql_secure_installation, /usr/bin/less *, /usr/bin/more *, /bin/du * *, /bin/yum install *, /bin/yum erase *, /bin/grep * *, /bin/vi /etc/yum.repos.d/paragon.repo, /bin/yum clean all, /bin/dnf module list, /bin/dnf module list, /bin/su - mysql, /usr/sbin/usermod mysql -s /bin/*, /bin/chown mysql* /*, /bin/chown -R mysql* /*, /bin/hostnamectl status
User myuser may run the following commands on myserver: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: /bin/vi /etc/my.cnf, /bin/mkdir *, /bin/systemctl enable *, /bin/systemctl disable *, /bin/systemctl status *, /bin/systemctl stop *, /bin/systemctl start *, /bin/journalctl -xe, /usr/bin/mysql * *, /bin/cat *, /bin/zcat *, /usr/bin/mysql_secure_installation, /usr/bin/less *, /usr/bin/more *, /bin/du * *, /bin/yum install *, /bin/yum erase *, /bin/grep * *, /bin/vi /etc/yum.repos.d/paragon.repo, /bin/yum clean all, /bin/dnf module list, /bin/dnf module list, /bin/su - mysql, /usr/sbin/usermod mysql -s /bin/*, /bin/chown mysql* /*, /bin/chown -R mysql* /*, /bin/hostnamectl status
Configuration & Logging
Configuration & Logging
Configuration is held in:
/etc/sudoers
You should edit this file with:
visudo
On OEL7, the sudo log is found in:/var/log/secure
On AIX, the sudo log is found in:/var/log/sudo.log
To check
cat /var/log/secure | grep patcher
Apr 28 17:25:22 delphi sudo: oracle : TTY=pts/0 ; PWD=/mnt/u01/dba/patcher ; USER=root ; COMMAND=/u01/dba/patcher/perms.shApr 28 17:25:46 delphi sudo: oracle : command not allowed ; TTY=pts/0 ; PWD=/mnt/u01/dba/patcher ; USER=root ; COMMAND=/bin/ls
Running commands as non-login users
Running commands as non-login users
For example, when you install MySQL/Percona Server using yum, by default you get a 'mysql' user with a login shell of /bin/false. It seems like good security to keep things like this. But, what can you do if you need to run something as 'mysql', like cron scheduling a backup? ...
sudo -u mysql -s crontab -l
Examples
Examples
Add a user to the sudo group to allow them to run any command...
usermod -a -G sudo myuser
Assumes this default line is present in /etc/sudoers...%sudo ALL=(ALL:ALL) ALLAdd this line to the /etc/sudoers file (using visudo) to allow user 'oracle' to run /u01/dba/patcher/perms.sh as 'root' on the host 'delphi' without needing a password...
oracle delphi = (root) NOPASSWD: /u01/dba/patcher/perms.sh
Bibliography
Bibliography
Page updated
Google Sites
Report abuse