LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-03-2012, 04:29 PM   #1
acunacha
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Rep: Reputation: Disabled
Using Sudo


Hi,

I am new to administering a system with Linux (I am specifically using SUSE 11).

I got a couple of questions:

1- If I want to allow an specific user (let's call him "webadmin") to manage all web server config tasks as if he were root, using sudo, how would it do that?

For example, I want to give him access to the yast2 httd-server module (which I think is /usr/share/YaST2(clients/http-server), but he does not have to have access to any other yast2 modules.
Also, he has to have root permissions of using vi to modify all apache config files under /etc/apache2/
Also, he should have root access to /etc/init.d/apache2 for him to handle the daemon as he wants.

How would I do that configuring the sudoers file?

Thanks in advance,

Diego
 
Old 12-03-2012, 04:48 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853
I don't know about YAST (not a Suse user), but to let a specific user (or group) modify files in specific places file-permissions are a much better approach than sudo.
 
Old 12-03-2012, 05:07 PM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
If he can modify web configs (for services started as root) he can get root anyway - might as well give him "su -" access via sudo.
 
Old 12-03-2012, 05:29 PM   #4
thelastquincy
LQ Newbie
 
Registered: Apr 2009
Location: Chico, CA
Distribution: Ubuntu 10.10
Posts: 9

Rep: Reputation: 1
Add him to the wheel group
 
Old 12-03-2012, 05:38 PM   #5
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853
Quote:
Originally Posted by linosaurusroot View Post
If he can modify web configs (for services started as root) he can get root anyway - might as well give him "su -" access via sudo.
On my Debian system Apache is running as user www-data, not root. I assume that this will be something similar on Suse, so this doesn't apply I would think.


Quote:
Originally Posted by thelastquincy View Post
Add him to the wheel group
Even if this is considered as joke, it is really bad advice, especially given to a newbie, who might not see that this is bad advice. This will give the user total root access, if sudo is configured that way.
Don't do that.
 
Old 12-03-2012, 11:10 PM   #6
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
Quote:
Originally Posted by TobiSGD View Post
On my Debian system Apache is running as user www-data, not root. I assume that this will be something similar on Suse, so this doesn't apply I would think.
On port 80 which usually requires root to bind to it? So httpd starts as root amd reads the config files (to find out what user to run as, what port to listen to, what directory to use as cgi-bin and so on). Then it uses those details (binds to port 80 and switches uid to www-data).

But to someone who can change the config file and get httpd restarted they can get it to run cgi programs of their choice as the account of their choice (perhaps not root in modern apache). Running your choice of commands as bin is usually enough to get root though because lots of system s/w is installed as bin and root runs it.
 
Old 12-03-2012, 11:16 PM   #7
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853Reputation: 4853
I see, thank for the clarification.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: effective uid is not 0, is sudo installed setuid root? awladnas Linux - Newbie 10 08-30-2014 07:03 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
Unable to redirect all sudo messages to /var/log/sudo driftwood Linux - Server 2 10-18-2012 05:34 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 08:12 PM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 04:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration