Re: SUDOERS: how to setup in a school
From: Chris Cox (ccox_nopenotthis_at_airmail.net)
Date: 10/20/04
- Previous message: Steve Norville: "Re: iptables question"
- In reply to: Edilmar Alves: "SUDOERS: how to setup in a school"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Oct 2004 16:05:00 -0500
Edilmar Alves wrote:
> Hi,
>
> I'm teacher of a Linux course, and I'm using Fedora Core 2 to teach
> how to configure services like DNS, Apache, Proftp, Postfix, SSH,
> Samba, NFS and NIS. But, for convenience, the first students have
> to login using ROOT user or a user created with ROOT privileges,
> to allow to modify configuration files, and restart services into
> /etc/rc.d/init.d.
>
> However, I'd like to know if it is possible to configure SUDOERS
> for this situation. There are many config. files to change and many
> services to start/stop, and I'd like to create "student users"
> with no ROOT access but with privileges to do these configs.
> Is it possible? Does someone has some sample of this?
As a general rule, it's not a great idea... but I understand the
need. So... here's an sudoers set of commands:
Cmnd_Alias INIT_SCRIPTS = /etc/init.d/*
User_Alias INITUSERS = ALL
INITUSERS ALL = INIT_SCRIPTS
This will allow any (INITUSERS) to run any script in /etc/init.d/* as
root using sudo.
So...
$ sudo /etc/init.d/nscd restart
For example (it will prompt the student to authenticate using
their own password and cache it for a while).
With regards to editing configuration files. This more
difficult. Enabling an editor as root is as effective
as giving full root priviledges. What you need is a way
of copying configuration files of interest into each
users home directory.... then you could write a simple
script that a user could invoke via sudo that will take
the user's version of the file and copy it into place.
Consider the following script:
# An example with two editable files... extend as you wish
CONF_FILES="/etc/httpd/httpd.conf
/etc/nsswitch.conf"
while file in $CONF_FILES;do
d=`date +%y%m%d%h%m%s`
bname=`basename $file`
dname=`dirname $file`
userconf="~/UserConfs/$bname"
if [ -f "$userconf" && ! cmp "$userconf" "$file" >/dev/null 2>&1 ]; then
echo "Updating $file with $userconf"
mv "$userconf" "$dname/$bname.$d"
cp "$userconf" "$file"
# Probably want to do something to capture
# and set permissions of the original file
# onto the replacement file....
fi
done
Might be better to make CONF_FILES something passed in
as an argument (only taking a single file)... but hopefully
you will see the idea. The script above will always
update any file that differs from the destination
anytime it is run by the user (you would take the script
and make it an allowable command via sudo).
>
> Thanks for any help,
Hope that helps.
Chris
- Previous message: Steve Norville: "Re: iptables question"
- In reply to: Edilmar Alves: "SUDOERS: how to setup in a school"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
