i have tried to use a sudo command from a user level . but instead of asking for user password it asked for root password . how should i go about it .
james@opensuse:/etc> sudo ifconfig
root's password:
And i wish to ask how should i allow a list of command to be allowed to used for a member of a particular group in SUDOERS FILE. i dont know how to formulate in the below code from sudoers file
# User privilege specification
root ALL=(ALL) ALL
Hi,
Interesting. I hadn't heard of this before, but from some quick Googlings it seems that this is the default behaviour of sudo on openSUSE. If you edit the sudoers file you'll probably find a line like this:
Defaults targetpw
If you comment that line out, then sudo should prompt for the user's own password rather than the password for the root account.
On to your second point, specifying commands a user or group can run. That can be done with an entry like this (in this case, I'm specifying the commands that members of the unixforum group can run without being prompted for a password):
%unixforum ALL=NOPASSWD: /bin/ls,/bin/mkdir,/bin/rmdir
Here's an example session with that entry in place (and still with Defaults targetpw set to give a clear contrast):
$ id
uid=1002(unixforum) gid=1002(unixforum) groups=1002(unixforum)
$ sudo /bin/ls /root
Desktop mbox Pictures
$ sudo /bin/mkdir /root/testdir
$ sudo /bin/ls -ld /root/testdir
drwxr-xr-x 2 root root 4096 Mar 9 13:03 /root/testdir
$ sudo /bin/rmdir /root/testdir
$ sudo /usr/bin/vim
[sudo] password for root:
$
Hope this helps.
thank you very much drysdalk for correct and prompt answer.
%unixforum ALL=NOPASSWD: /bin/ls,/bin/mkdir,/bin/rmdir
may i ask why percentage in front of uniform group name is written ..does it has special meaning.
and from the above code , is there a special way of representing if its username or group name.
---------- Post updated at 11:29 AM ---------- Previous update was at 10:34 AM ----------
i have tried to make a particular user name james to able to open and edit sudoers file . but seems something went wrong . can u help me out with that
james@opensuse:~> visudo
Absolute path to 'visudo' is '/usr/sbin/visudo', so running it may require superuser privileges (eg. root).
james@opensuse:~>
And i have put below code in sudoers file ..
%james ALL=NOPASSWD:/etc/sudoers
Hi,
The percent sign (%) at the start of the line signifies that this is a UNIX group name, and not a username. So it will affect all members of the group called unixforum , and not simply one single user. Lines without a percent symbol would affect only individual users and not groups.
The point of the sudoers file is to specify commands that users can run, not to list all the files or things they can access. So putting the sudoers file itself in the sudoers file doesn't actually make any sense. You also missed out the space between the colon and the command list, which may be important in your implementation.
So, if you wanted to give the user james permission to use sudo to edit the sudoers file, you'd actually want a line like this:
james ALL=NOPASSWD: /usr/sbin/visudo
It's worth pointing out that this isn't actually a good idea at all. Letting a user edit the sudoers file themselves via sudo is very dangerous and not at all secure, since they could then give themselves permission to run anything at all. If you're going to do that you might as well let the user run any and all commands without a password, since all you're really using sudo for at that point is to get a passwordless su .
Hope this helps.
There is a book called "Sudo Mastery- User Access Control for Real People" by Michael W Lucas. I find it very useful for understanding the sudo configuration as he explains it in simple terms.