####[ How-Do-I Documents ]######################################
Sub : Sudo usage HDI #005
How-Do-I give access to selected users on my system to some of
the programs (like wvdial) so that root privileges are no longer
needed for them ?
################################################################
1 Introduction.
1.1 The cleanest method of running such programs is to use
the utility sudo. This allows a permitted user to
execute a command as the superuser or another user, as
specified in the sudoers file. The real and effective
uid and gid are set to match those of the target user
as specified in the passwd file. sudo determines who
is an authorized user by consulting /etc/sudoers.
1.2 Sudo is standard with most distros's. At any rate sudo
can be found at: http://www.courtesan.com/sudo/
2 Why this HDI has been written
2.1 The main problem about the man command is that it's a
bit too terse for average users, and most do not make
much headway from the information furnished. The best
method, is perhaps, an actual example.
2.1 There is nothing original in this HDI. It is only an
attempt to explain things with an actual example. In
this case we will take the program wvdial as a sample
to explain how the utility works.
3. Getting to do the thing (visudo)
3.1 Use of sudo is the prerogative of the sysadmin who
decides, who to be given to a particular program or
utility. The program therefore needs to be run as
root (or super-user). It creates /etc/sudoers. It is
interesting to note that this file has permissions
like:
-r--r----- 1 root root 294 Jun 19 2000 /etc/sudoers
3.2 In other words, nobody (inclusive of root) has write
access to this file. To enable write to it a special
editor called "visudo" needs to be run as root. This
has normal "vi" key bindings. This editor is bundled
with the sudo package, and need not be installed as
an add on from anywhere.
4 Writing /etc/sudoers
4.1 As root, invoke `visudo` and add these lines (for
enabling wvdial for selected users) :-
----------------------<snip>-----------------------
# add the next line to the, "User alias specifica-
# tion" section adding the desired users.
User_Alias WVDIALUSERS=user1,user2,user3
# add the next line to the, "Cmnd alias specifica-
# tion" section. where /path/ is the correct path
# to wvdial program
Cmnd_Alias WVDIALCMD=/path/wvdial
# add the next line to the, "User privilege specif-
# ication" section.
WVDIALUSERS ALL=NOPASSWD:WVDIALCMD
----------------------</snip>----------------------
4.2 That is about all there is to it. When you exit out
of the edit session with :wq, all changes are auto-
matically saved in /etc/sudoers file .. DO NOT edit
this file with any other method.
4.3 Now all the listed users in "WVDIALUSERS" may run
wvdial with the command:
'sudo wvdial'
4.3 Note, that we have introduced user defined variables
out here like WVDIALUSERS and WVDIALCMD. This makes
the sudoers file configurable for different programs
having alternate sets of user names.
4.4 Suppose, now you want to add another set of users to
be permitted to shut down a Linux box, just append a
line below the appropriate sections as:
SHUTDOWNUSERS=user1,user3,user7 etc. and
SHUTDOWNCMD=/path/shutdown -h now
SHUTDOWNUSERS ALL=NOPASSWD:SHUTDOWNCMD
5 Other sudo commands
5.1 After amending the /etc/sudoers file and rebooting,
there may be a need to know who all are permitted
to use other "forbidden" commands, type in as root:
#sudo -l
5.2 Check out "man sudo" for other available options.
################################################################
6 Kudos and Brickbats
6.1 This document is released under GNU/ GPL license. You are
free to use and distribute this without any encumbrances
6.2 Any kudos and brickbats should be directed at:
USM Bish <bish@nde.vsnl.net.in>
29 Oct 2001