綾小路龍之介の素人思考

[Debian] sudo を使う

自分の管理している共有マシンで sudo を使うルールを定めてみた。

まずはパッケージのインストール。

# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 836 kB of archives.
After this operation, 1,624 kB of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main sudo i386 1.8.5p2-1+nmu2 [836 kB]
Fetched 836 kB in 2s (346 kB/s)
Selecting previously unselected package sudo.
(Reading database ... 46093 files and directories currently installed.)
Unpacking sudo (from .../sudo_1.8.5p2-1+nmu2_i386.deb) ...
Processing triggers for man-db ...
Setting up sudo (1.8.5p2-1+nmu2) ...

デフォルト設定の確認。設定ファイルは /etc/sudoers。設定内容は sudo -l でも見れる。

# grep -v -e '^$' -e '#' /etc/sudoers
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root    ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
# sudo -l
Matching Defaults entries for root on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User root may run the following commands on this host:
    (ALL : ALL) ALL

existinguser を sudo グループに所属させる。

# id existinguser
uid=1000(existinguser) gid=1000(existinguser) groups=1000(existinguser),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),103(netdev)
# usermod -a -G sudo existinguser
# adduser existinguser sudo
# id existinguser
uid=1000(existinguser) gid=1000(existinguser) groups=1000(existinguser),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(netdev)
# su - existinguser
$ sudo -l
Matching Defaults entries for existinguser on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User existinguser may run the following commands on this host:
    (ALL : ALL) ALL

ログファイルをみると以下のようなメッセージがあるとわかる。

$ grep sudo /var/log/auth.log
(snip)
*** ** 07:09:22 ********* sudo: existinguser : TTY=pts/2 ; PWD=/home/existinguser ; USER=root ; COMMAND=/bin/cat /etc/sudoers.d/README
*** ** 07:09:22 ********* sudo: pam_unix(sudo:session): session opened for user root by existinguser(uid=0)
*** ** 07:09:22 ********* sudo: pam_unix(sudo:session): session closed for user root
(snip)

以下は失敗例。

$ sudo vi /etc/motd
[sudo] password for existinguser:
Sorry, try again.
[sudo] password for existinguser:
Sorry, try again.
[sudo] password for existinguser:
Sorry, try again.
sudo: 3 incorrect password attempts
$ grep sudo /var/log/auth.log
(snip)
*** ** 07:18:58 ********* sudo: pam_unix(sudo:auth): authentication failure; logname=existinguser uid=1000 euid=0 tty=/dev/pts/3 ruser=existinguser rhost=  user=existinguser
*** ** 07:19:08 ********* sudo: existinguser : 3 incorrect password attempts ; TTY=pts/3 ; PWD=/home/existinguser ; USER=root ; COMMAND=/usr/bin/vi /etc/motd
(snip)

リファレンス

  1. Add user to existing Group - Ask Ubuntu
  2. sudo - Debian Wiki

ソーシャルブックマーク

  1. はてなブックマーク
  2. Google Bookmarks
  3. del.icio.us

ChangeLog

  1. Posted: 2008-08-09T02:34:51+09:00
  2. Modified: 2008-08-09T02:34:51+09:00
  3. Generated: 2017-06-08T23:09:20+09:00