Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
The sudoers file is well commented. There is an example allowing users to mount the cdrom device as root without a password.
For mounting and unmounting filesystems, use the "users" or "user" option. The mount command is an SUID program. However, it only allows a regular user to mount a filesystem if the "user" or "users" option is used.
For removable devices such as pendrives, use the label or uuid instead of the device.
For other commands in sudoers, be very explicit with the command allowed. Include the full pathname to the command.
You can configure sudo so that members of a certain group can use it after entering their own password. This way, you don't have to distribute the root password, but a third party who has physical access to a group members computer won't be able to run a command as root without knowing the users password.
You can also forbid certain commands such as "sudo /bin/bash" which would give the user unrestricted and unlogged root access. Also be careful with commands like vim which have shell escapes. Only allow rvim which starts vim in the restricted mode; it won't be possible to execute commands or suspend rvim.
Another way may be setting SUID bit. Which solution is best depends on what you need to do.
This is dangerous because any user will be able to run the command as root. Not just members of a certain group.
Some commands are already SUID programs, and take measures to prevent abuse. For example, the passwd and mount commands. The passwd command is SUID to allow regular users to change their own passwords, which requires write access to /etc/passwd. An entry in /etc/fstab with the "user" or "users" option will allow the owner or any user respectively to mount the filesystem.* The /etc/fstab then becomes the controlling mechanism for the suid mount program. Only go the SUID route if the command is already suid for a good reason and limits what is done as root (or a system user). Programs like mount and password are written with safeguards built in. Setting the suid bit on a program not designed with it's own controlling mechanisms is a very bad idea and shouldn't be done.
For other commands, you can add entries in /etc/sudoers (via the visudo program) to allow group members or regular users to run certain commands as root. You need to be explicit with the command. For example, include the path to the command and any arguments you require. The CDROM mounting commented sample is one example.
If you want to allow some members, such as %admin members to use sudo on any command, but want everything logged, you can forbid certain commands, such as "sudo /bin/bash". Also, some commands have shell escapes. Forbid them but allow safer alternatives. For example using vim is essential for administrative work but you can allow rvim instead. Rvim doesn't allow executing commands or suspending.
Also, consider configuring sudo to use the users password instead of the root password. That way you don't need to distribute the root password, but are protected from a 3rd party gaining physical access to an open console. You need to enforce strong passwords then, so that an %admin member doesn't have an easy to guess password.
* For removable devices, I would recommend using the label or uuid instead of the device in the fstab line for that device. The "user" option combined with the "UUID=" entry will allow a normal user to mount the device regardless of which port was used, provided he is the owner of the filesystem (same uid) or for fat32 drives is listed in the "uid=UID/username" mount option.