JSP Web Hosting Blog

of the screen. Some log files are only visible to root for example, the log that contains sudo access information. You might want to view these logs without bothering to become root. # sudo tail -f /var/log/authlog openbsd/usr/src/usr.bin/sudo;sudo tail -f /var/log/secure Jul 29 13:24:19 openbsd sudo: mwlucas : TTY=ttyp0 ; PWD=/home/mwlucas ; USER=root ; COMMAND=list Jul 29 13:30:03 openbsd sudo: mwlucas : TTY=ttyp0 ; PWD=/home/mwlucas ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/authlog … Running Commands as Other Users You can choose to run commands as a user other than root, if you have the appropriate permissions. For example, suppose we have our database application where commands must be run as the database user. We saw in /etc/sudoers how to set up permission to do this. You tell sudo to run as a particular user by using the “-u” flag and a username. For example, the operator user has the privileges necessary to run dump(8) and back up the system. # sudo -u operator dump /dev/sd0s1 Excluding Commands from ALL Now that you know the basics of sudo, let’s look at a common situation that trips up even experienced systems administrators. Sometimes you want to disallow users from executing certain commands, but give them access to every other command. You can try to do this with the “!” operator, but it’s not entirely effective. Because it’s a popular setup, however, we’ll discuss how this works and then what’s wrong with it. First, define command aliases that contain the forbidden commands. Popular commands to exclude are shells (if you execute a shell as a user, you become that user) and su(1). Then give your user a command rule that excludes those aliases with the “!” operator. Cmnd_Alias SHELLS = /bin/sh,/bin/csh,/usr/local/bin/tcsh Cmnd_Alias SU = /usr/bin/su mwlucas ALL = ALL,!SHELLS,!SU Looks great, doesn’t it? And it seems to work. openbsd~;sudo sh Password: Sorry, user mwlucas is not allowed to execute ‘/bin/sh’ as root on openbsd. openbsd~; Remember, sudo uses full paths for all the commands. You’re allowing the user to run any command they want, except for a few that are specified by their full path. All that user needs to do is change their path to one of these commands to run it! The easiest way to do this is by copying the command to another location. # id uid=1000(mwlucas) gid=1000(mwlucas) groups=1000(mwlucas), 0(wheel) Page 156
Note: If you are looking for good and quality webspace to host and run your java application check Actions java hosting services

This entry was posted on Tuesday, November 14th, 2006 at 10:33 am and is filed under jsp. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.