sudo (/ˈsuːduː/ atau /ˈsuːdoʊ/) adalah suatu program untuk sistem operasi komputer sejenis Unix yang memungkinkan para pengguna untuk menjalankan program-program hak keamanan pengguna lain, secara default merupakan "superuser". Asalnya merupakan singkatan "superuser do" karena sudo pada versi-versi yang lebih lama didesain untuk menjalankan program-program hanya sebagai superuser. Namun, versi-versi berikutnya menambah dukungan untuk menjalankan perintah-perintah bukan hanya sebagai superuser tetapi juga sebagai pengguna (restricted) lain, sehingga juga umumnya dikembangkan sebagai "substitute user do". Meskipun kasus terakhir itu mencerminkan fungsionalistas saat ini secara lebih akurat, sudo masih sering disebut "superuser do" karena sering digunakan untuk tugas-tugas administratif.
Konfigurasikan Sudo pada Debian
|
| Konfigurasikan Sudo pada Debian |
Configure sudo to separate users' duty if some people share privileges.
Konfigurasikan sudo untuk memisahkan tugas pengguna jika beberapa orang
berbagi hak istimewa.
[1] Install sudo.
root@dlp:~# aptitude -y install sudo
[2] Transfer root privilege to a user all.
root@dlp:~# visudo # add to the end: user 'vervet' can use all root privilege jessie ALL=(ALL) ALL # how to write ⇒ user host=(owner) command # push 'Ctrl + x' key to quit visudo # make sure with user 'jessie' jessie@dlp:~$ /sbin/shutdown -r now shutdown: you must be root to do that! # denied normally jessie@dlp:~$ sudo /sbin/shutdown -r now [sudo] password for jessie: # jessie's password jessie@dlp:~$ Broadcast message from root@dlp (pts/0) (Sun May 6 02:45:10 2011): The system is going down for reboot NOW! # executed
[3] In addition to the setting [1], set that some commands are not allowed.
Selain pengaturan [1], atur agar beberapa perintah tidak diizinkan.
root@dlp:~# visudo # add alias for the kind of shutdown commands # Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init # add ( commands in alias 'SHUTDOWN' are not allowed ) jessie ALL=(ALL) ALL, !SHUTDOWN # make sure with user 'jessie' jessie@dlp:~$ sudo /sbin/shutdown -r now [sudo] password for jessie: Sorry, user jessie is not allowed to execute '/sbin/shutdown -r now' as root on dlp.srv.world. # denied normally
[4] Transfer some commands with root privilege to users in a group.
Mentransfer beberapa perintah dengan hak akses root ke pengguna dalam grup
root@dlp:~# visudo # add aliase for the kind of user management comamnds # Cmnd alias specification Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd # add to the end %usermgr ALL=(ALL) USERMGR root@dlp:~# groupadd usermgr root@dlp:~# vi /etc/group # add a user in this group usermgr:x:1002:jessie # make sure with user 'jessie' jessie@dlp:~$ sudo /usr/sbin/useradd testuser jessie@dlp:~$ # done normally jessie@dlp:~$ sudo /usr/bin/passwd testuser Enter new UNIX password: # set testuser's password Retype new UNIX password: passwd: password updated successfully
[5] Transfer a command with root privilege to a user.
Mentransfer perintah dengan hak akses root ke pengguna.
root@dlp:~# visudo # add to the end fedora ALL=(ALL) /usr/sbin/visudo cent ALL=(ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd suse ALL=(ALL) /usr/bin/vim # make sure with user 'fedora' fedora@dlp:~$ sudo /usr/sbin/visudo # possible to open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # make sure with user 'cent' cent@dlp:~$ sudo /usr/sbin/userdel -r testuser cent@dlp:~$ # done normally # make sure with user 'suse' suse@dlp:~$ sudo /usr/bin/vim /root/.profile # possible to open and edit # ~/.profile: executed by Bourne-compatible login shells.
[6] The logs for sudo are kept in '/var/log/auth.log', but there are many kind of logs in it. So if you'd like to keep only sudo's log in a file, Set like follows.
Log untuk sudo disimpan di '/var/log/auth.log', tetapi ada banyak jenis log di dalamnya. Jadi, jika Anda hanya ingin menyimpan log sudo dalam file, Setel seperti berikut.
root@dlp:~# visudo # add to the end Defaults syslog=local1 root@dlp:~# vi /etc/rsyslog.conf # line 61: add local1.* /var/log/sudo.log auth,authpriv.* /var/log/auth.log # add *.*;local1,auth,authpriv.none -/var/log/syslog root@dlp:~# systemctl restart rsyslog