What I want to do is:
- Write a script to install some software with yum: yum install whatever
- This script will be executed by a user that doesn't have root or sudo permissions
I have no objection to putting the root password in the script, I just don't know how to do it, I mean my script could look like this:
sudo -u ro开发者_Go百科ot -p password
yum install whatever
The first line is where I don't know what I'm doing, I understand the security risks involved with putting the root credentials in here but it's not important for this.
The full power is described here:
The flexibility of sudo is widely under-estimated. This leads to very poor practices (like the sudo su -
canon-ball surgery method).
A much better method is to specificly allow the commands you intend to allow without use of a password:
phill = NOPASSWD: /bin/ls, /usr/bin/lprm
You can optionally do this for specific users from specific hosts running as specific admin users. You can even prevent users from passing shell escapes as parameters. You can make sudo prevent the launched program to execute further applications dynamically etc. etc. You will want to read the man-page for sudoers (and be sure to read the procedures for editing this special file!).
Here is a small taste of things, (from here):
User_Alias OPERATORS = joe, mike, jude
Runas_Alias OP = root, operator
Host_Alias OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.
linus ALL=(OP) ALL
# The user linus can run any command from any terminal as any user in the OP group (root or operator).
user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.
user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.
go2linux ALL=(ALL) ALL
# user go2linux may run any command from any machine acting as any user. (like Ubuntu)
If you want not to be asked for a password use this form
go2linux ALL=(ALL) ALL NO PASSWD: ALL
If the user doesn't habe sudo permissions, then calling sudo is quite useless as it will simply deny the access. Also: using sudo the user will not be asked for the root password but for his own password.
精彩评论