| 1 | <?xml version='1.0' encoding="UTF-8"?> |
1 | <?xml version='1.0' encoding="UTF-8"?> |
| 2 | |
2 | |
| 3 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/sudo-guide.xml,v 1.12 2008/05/19 20:45:27 swift Exp $ --> |
3 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/sudo-guide.xml,v 1.13 2011/08/14 17:58:50 swift Exp $ --> |
| 4 | |
4 | |
| 5 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
5 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
| 6 | |
6 | |
| 7 | <guide link="/doc/en/sudo-guide.xml"> |
7 | <guide link="/doc/en/sudo-guide.xml"> |
| 8 | <title>Gentoo Sudo(ers) Guide</title> |
8 | <title>Gentoo Sudo(ers) Guide</title> |
| … | |
… | |
| 20 | |
20 | |
| 21 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
21 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
| 22 | <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
22 | <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
| 23 | <license/> |
23 | <license/> |
| 24 | |
24 | |
| 25 | <version>1.6</version> |
25 | <version>2</version> |
| 26 | <date>2006-07-14</date> |
26 | <date>2011-08-13</date> |
| 27 | |
27 | |
| 28 | <chapter> |
28 | <chapter> |
| 29 | <title>About Sudo</title> |
29 | <title>About Sudo</title> |
| 30 | <section> |
30 | <section> |
| 31 | <title>Granting Permissions</title> |
31 | <title>Granting Permissions</title> |
| … | |
… | |
| 42 | <p> |
42 | <p> |
| 43 | With <c>sudo</c> you can make a clear list <e>who</e> can execute a certain |
43 | With <c>sudo</c> you can make a clear list <e>who</e> can execute a certain |
| 44 | application. If you would set the setuid bit, any user would be able to run this |
44 | application. If you would set the setuid bit, any user would be able to run this |
| 45 | application (or any user of a certain group, depending on the permissions used). |
45 | application (or any user of a certain group, depending on the permissions used). |
| 46 | You can (and probably even should) require the user to provide a password when |
46 | You can (and probably even should) require the user to provide a password when |
| 47 | he wants to execute the application and you can even fine-tune the permissions |
47 | he wants to execute the application. |
| 48 | based on the user's location: logged on from the system itself or through SSH |
|
|
| 49 | from a remote site. |
|
|
| 50 | </p> |
48 | </p> |
| 51 | |
49 | |
| 52 | </body> |
50 | </body> |
| 53 | </section> |
51 | </section> |
| 54 | <section> |
52 | <section> |
| … | |
… | |
| 118 | user host = commands |
116 | user host = commands |
| 119 | </pre> |
117 | </pre> |
| 120 | |
118 | |
| 121 | <p> |
119 | <p> |
| 122 | This syntax tells <c>sudo</c> that the user, identified by <e>user</e> and |
120 | This syntax tells <c>sudo</c> that the user, identified by <e>user</e> and |
| 123 | logged on through the system <e>host</e> can execute any of the commands listed |
121 | logged in on the system <e>host</e> can execute any of the commands listed |
| 124 | in <e>commands</e> as the root user. A more real-life example might make this |
122 | in <e>commands</e> as the root user. A more real-life example might make this |
| 125 | more clear: allow the user <e>swift</e> to execute <c>emerge</c> if he is logged |
123 | more clear: allow the user <e>swift</e> to execute <c>emerge</c> if he is logged |
| 126 | on from the system (not through SSH): |
124 | in on localhost: |
| 127 | </p> |
125 | </p> |
| 128 | |
126 | |
| 129 | <pre caption="Live /etc/sudoers examples"> |
127 | <pre caption="Live /etc/sudoers examples"> |
| 130 | swift localhost = /usr/bin/emerge |
128 | swift localhost = /usr/bin/emerge |
| 131 | </pre> |
129 | </pre> |
|
|
130 | |
|
|
131 | <note> |
|
|
132 | The hostname must match what the <c>hostname</c> command returns. |
|
|
133 | </note> |
| 132 | |
134 | |
| 133 | <p> |
135 | <p> |
| 134 | A <brite>big warning</brite> is in place though: do not allow a user to run an |
136 | A <brite>big warning</brite> is in place though: do not allow a user to run an |
| 135 | application that can allow people to elevate privileges. For instance, allowing |
137 | application that can allow people to elevate privileges. For instance, allowing |
| 136 | users to execute <c>emerge</c> as root can indeed grant them full root access |
138 | users to execute <c>emerge</c> as root can indeed grant them full root access |
Parent Directory
| 
Revision Log
| 
Patch