Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running a system that recently I started sharing with my roomies. I'd like to give them sudoer powers, so they can actually do things (i'm running Mint 5) but I'd also like to keep them from getting into some of my stuff in ( '/home/USER/foo' for instance ). Is there a way where I can protect certain directory trees from the sudoer list?
You can try setting up SELinux, but the best thing to do is to not give people super user access. I really can't imagine why anyone would need root access except for the sysadmin.
Besides, 'sudo' is evil incarnate because if those people have poor passwords, share passwords or whatever, if someone gets into their account they have instant root access with absolutely no effort - they don't even have to guess the root password because sudo doesn't care about that.
@ Pinniped: you're assuming that you give the other users global superuser privileges through sudo, but you don't have to do that. Some distros enter user ALL=(ALL) ALL, but you can use sudo much more surgically to give regular users on a shared system some powers, but not others. For example, I use this setup to let my regular user (me) shutdown, reboot and fiddle with the internet configuration without a password at all:
Code:
# Cmnd alias specification
Cmnd_Alias HALT = /sbin/shutdown
Cmnd_Alias REBOOT = /sbin/reboot
Cmnd_Alias NET = /sbin/iwconfig, /sbin/ifconfig, /sbin/ifup, /sbin/ifdown
# User privilege specification
root ALL=(ALL) ALL
telemachus ALL=NOPASSWD: HALT, REBOOT, NET
Obviously, I have reason to trust myself, but I could force the user to give a password or limit the commands even more. Sudo itself isn't evil; like anything else, some people misuse it.
@ Ktek: First, think about your sentence "I'd like to give them sudoer powers, so they can actually do things." Regular users already can do plenty without root privileges - in fact, they can do nearly everything they need to do. What exactly do you want for them that they can't get at now? After you figure out the things you want to open up for them, read through man sudoers carefully to see how you can give some but not all privileges to users.
I agree with pinniped. First, I don't think there is a way under the sun to make root not being root. Second, it's simply a wrong approach - you should create a new group instead, say "powerusers", and give them the exact permissions you want them to have.
I agree with pinniped. First, I don't think there is a way under the sun to make root not being root. Second, it's simply a wrong approach - you should create a new group instead, say "powerusers", and give them the exact permissions you want them to have.
You don't understand: sudo can do exactly what you just asked for with your powerusers group. The way that Ubuntu uses sudo is not the only way to use it. You can use sudo to give specific, limited powers. Entering someone on the sudoers list does not necessarily make them root.
Edit - if you look at my sudoers file above, you will see that the user telemachus has some privileges (reboot, shutdown, etc.), but he isn't root. He can't edit /etc/apt/sources.list, he can't delete all the binaries in /bin, etc. Read man sudoers.
Last edited by Telemachos; 11-22-2008 at 06:19 AM.
Thanks for pointing out that 'sudo' doesn't mean absolute root access. However, on most machines I still wouldn't give people rights to fiddle with the network or shut down the computer. I guess if you want the computer shut down after someone uses it you could give them such a privilege but I never trust people not to do something like a remote reboot or shutdown. Well, it's a (mostly) free world and people can do as they please with their own computers.
Thanks for pointing out that 'sudo' doesn't mean absolute root access. However, on most machines I still wouldn't give people rights to fiddle with the network or shut down the computer.
I completely agree. The user in this case is me, so I trust him. I wanted to show that sudo isn't all or nothing. You can choose any set of commands, specify one user or a group, and you can also control what password they use to get the privileges (their user password or a root password or a distinct user password, etc.). The example was just a random example, since I had it handy on this machine.
Bottom line for me: sudo is far more powerful than people imagine.
If you choose to let them edit things make sure you only give them a restricted editor otherwise they'll just be able to shell out and do whatever anyway.
@ Pinniped and JosipBroz: I know, root is root. I wasn't asking how to limit root. I was asking about sudo.
I also know that sudo has potential for flagrant abuse. However it's the way my distro is configured, and I'm still too new at this to really know how to effectively personalize my system. I don't think I'll be sticking with mint long enough to really justify deep personalization anyway. It's a rebound distro after battling to install gentoo for a few days, >.< (I learned a lot during that ordeal, including that gentoo users are liars :P "it's really not all that difficult to set up, you just have to read the manual...") and it's on the way out for me.
@ telemachos: Thanks for the tips.
@ estabroo: Where could I read more about shell/editors?
ktek take a look at rvi and rvim, essentially just vi/vim with restrictions like no shell escapes, you also might want to look at rbash which lets you put further restrictions on what can be done in a shell.
As per the last para of post #3, what do they NEED to do that they can't do anyway. Do you really need to give them sudo (of any cmd)?. It seems unlikely.
I think actually, that Telemachos answered all my sudo questions.
Anyway, regarding gentoo, I agree that they are excellent documents. It's just that earnest desire to get it started, and obsessive adhesion step by step is apparently not sufficient to conquer the deep and ancient evil of gentoo installation. XD
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.