appear at the top of the file. Each
/usr/local/bin/tcsh, /usr/local/bin/bash Using Aliases in /etc/sudoers To use an alias, just put the alias name in the rule where you would normally list the user, command, or host name. Here, we’ve previously defined a user alias DNSADMINS. The users listed in the DNSADMINS alias get to run any commands at all on all of our servers. DNSADMINS ALL = ALL Let’s suppose that our user Phil has to manage an application that runs as a particular user. He can run any command on the system as this application user. We defined a run as alias in the last section for the user alias, APPADMIN, and an alias for commands needed to run the application, DBCOMMANDS. phil ALL = (APPADMIN)DBCOMMANDS As the application administrator, Phil might also have to run backups. We have already given the APPOWNER run as alias operator privileges, and we have a separate command alias for backup commands. We can combine them all like this: phil ALL = (APPOWNER) DBCOMMANDS, (APPOWNER)BACKUPS This is much simpler to read than what this rule expands to. phil ALL = (dbuser,operator)/usr/home/dbuser/bin/*, (dbuser,operator)/bin/mt, (dbuser,operator)/sbin/restore, (dbuser,operator)/sbin/dump Some of the permissions granted by sudo in this case are unnecessary having the database user run as alias is not necessary for running backups. Still, it’s far tighter than just giving Phil the root password! You can also redefine rules to restrict your users as tightly as you desire. Nesting Aliases You can include aliases in aliases. For example, could group the DBCOMMANDS alias and the BACKUPS commands into a single group of commands. Cmnd_Alias DBADMINS = BACKUPS,DBCOMMANDS Using System Groups as User Aliases Sudo(8) can pull group information from the system and incorporate it into sudoers as a user alias. Rather than explicitly define a user alias, you can give the OpenBSD group name preceded by a percent sign (%) to indicate it’s a group name. %wheel ALL = ALL Anyone in the system’s wheel group can issue any command as root, on any server. Duplicating Alias Names You can reuse alias names. The user alias DBADMINS is not the same as the command alias DBADMINS. It’s quite possible to have entries like this. Cmnd_Alias DBAPP = /usr/home/dbuser/bin/* Page 154
Hint: If you are looking for very good and affordable webspace to host and run your tomcat hosting application check Virtualwebstudio tomcat web hosting provider