Birmingham mumbai



Download 15,21 Mb.
Pdf ko'rish
bet100/482
Sana13.01.2022
Hajmi15,21 Mb.
#355107
1   ...   96   97   98   99   100   101   102   103   ...   482
Bog'liq
Mastering Ubuntu Server Gain expertise in the art of deploying, configuring, managing, and troubleshooting Ubuntu Server by Jay LaCroix (z-lib.org)

[
 68 
]
Here, we're allowing user 
charlie
 to execute the 
reboot
 and 
shutdown
 commands. If 
user 
charlie
 tries to do something else (such as install a package), they will receive 
an error message:
Sorry, user charlie is not allowed to execute '/usr/bin/apt install 
tmux' as root on ubuntu. 
However, if 
charlie
 wants to use the 
reboot
 or 
shutdown
 commands on the server, 
they will be able to do so because we explicitly called out those commands while 
setting up this user's 
sudo
 access. We can limit this further by changing the first 
ALL
 
to a machine name, in this case, 
ubuntu
, to reference the host name of the server I'm 
using for my examples. I've also changed the command that 
charlie
 is allowed to 
run:
charlie    ubuntu=(ALL:ALL) /usr/bin/apt 
It's always a good idea to use full paths to commands when editing 
sudo
 
permissions, rather than the shortened versions. For example, we used 
/usr/bin/apt
 
here, instead of just 
apt
. This is important, as the user could create a script named 
apt
 to do mischievous things that we normally wouldn't allow them to do. By using 
the full path, we're limiting the user to the binary stored at that path.
Now, 
charlie
 is only able to use 
apt
. They can use 
apt update

apt dist-upgrade

and any other sub-command of 
apt
. But if they try to reboot the server, remove 
protected files, add users, or anything else we haven't explicitly set, they will be 
prevented from doing so.
We have another problem, though. We're allowing 
charlie
 to impersonate other 
users. This may not be completely terrible given the context of installing packages 
(impersonating another user would be useless unless that user also has access to 
install packages), but it's bad form to allow this unless we really need to. In this case, 
we could just remove the 
(ALL:ALL)
 from the line altogether to prevent 
charlie
 from 
using the 
-u
 option of 
sudo
 to run commands as other users:
charlie    ubuntu= /usr/bin/apt
On the other hand, if we actually do want 
charlie
 to be able to impersonate other 
users (but only specific users), we can call out the username and group that 
charlie
 
is allowed to act on behalf of by setting those values:
charlie    ubuntu=(dscully:admins) ALL
In that example, 
charlie
 is able to run commands on behalf of the user 
dscully
 and 
the group 
admins
.


Chapter 2

Download 15,21 Mb.

Do'stlaringiz bilan baham:
1   ...   96   97   98   99   100   101   102   103   ...   482




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish