Numerous administrative utilities are available for managing and maintaining a Linux computer. In this section, I discuss the following utilities:
◆ YaST
◆ Sudo
◆ Super
YaST
Yet Another Setup Tool (YaST) is a command line graphical interface that pro-vides a user-friendly approach to many administrative tasks of Linux administra-tion. However, it does not have the ability to restrict user access, which makes it useful for minimizing errors and allowing users to administer their systems.
Unlike Linuxconf, YaST is not network aware, which means that you must log into each computer you want to manage.
Sudo
Superuser do (Sudo) allows a system administrator to give users, or groups of users, the ability to run commands as root users. Its features are listed here:
◆ Sudo restricts the commands a user can execute.
◆ Sudo logs details of each command being executed. When used along with syslogd, the system log daemon, Sudo can be configured to log all commands to a central host as well as to the local host. Sudo also can be configured to log all the attempts, whether successful or unsuccessful, of
the commands being executed. In addition, sudo can also log errors gen-erated while executing the command. These events are logged in the
syslog (3)file. However, this log file is changeable.
◆ Sudo uses timestamp files to implement a timeout system. Users, upon invoking Sudo, are prompted for their password. Upon validation, they are granted a ticket for five minutes. This timeout is configurable at compile-time. Each subsequent Sudo command updates the ticket for another five minutes.
◆ The configuration file of Sudo,sudoers, is set up in such a manner that the same sudoers file may be used on many machines. This allows for central administration. However, the flexibility to define a user’s privi-leges on a per-host basis is still available.
Sudo allows a user to execute a command as the superuser, as specified in the sudoers file. The uidand gidof the user are set to match those of the superuser, as specified in the passwdfile. The /etc/sudoersfile contains the list of autho-rized users.Sudouses this file to validate users. If a user not listed in this file tries to log on, an error message is generated.
By default, Sudo requires that users be authenticated with a password. The authentication password is normally the user’s password, not the root password.
After a user has been authenticated, a timestamp is updated and the user can use Sudo without a password for a permitted period of time. The prompt for password will also time out if the user’s password is not entered within five minutes, unless it’s overridden by a modification in the sudoersfile. You can update the default timestamp by running the sudo command with the –vflag.
Sudo accepts the following command line options:
◆ -V. The -V(version) option is used to print the version number of Sudo. When executed by the root user, the –Voption prints a list of defaults.
◆ -l. The -l(list) option is used to list the commands that are allowed or restricted for a user.
An e-mail message will not be sent if an unauthorized user tries to run Sudo with the –lor -vflags.
NOTE
◆ -L. The -L(list defaults) option is used to display a list of the default parameters.
◆ -h. The -h(help) option is used to print a usage message.
◆ -v. The -v(validate) option is used to update the user’s timestamp and, if necessary, prompts for the user’s password. This extends the Sudo time-out for another five minutes or the time configured in the sudoersfile.
◆ -k. The -k(kill) option is used to validate the user’s timestamp. You need to specify a password if you run Sudo after specifying this option.
◆ -K. The -K(sure kill) option is used to remove a user’s timestamp. This option does not require a password.
◆ -b. The -b(background) option is used to tell Sudoto run a command in the background.
◆ -p. The -p(prompt) option is used to override the default password prompt. You can also customize the password prompt.
◆ -c. The -c(class) option is used to run a specified command by the specified login class. The class argument can be a class name or a single dash (-) character. The class name is defined in the /etc/login.conf
file. The command should be run as root if you specify an existing user.
◆ -a. The -a(authentication type) option is used to validate users with dif-ferent authentication types. The authentication type to be used for a user is mentioned in the /etc/login.conffile.
◆ -u. The -u(user) option is used to run a specified command as a user other than the root user. Use #uidif you want to specify a uidinstead of a username.
◆ -s. The -s(shell) option is used to run the shell specified by the SHELL environment variable.
◆ -H. The -H(HOME) option is used to set the HOME environment variable to the homedirof the specified user.
◆ -P. The -P(I) option is used to store the unmodified group vector of a user. The group vector is initialized to the groups to which the specified user belongs.
◆ -S. The -S(stdin) option is used to accept a password from standard input devices.
Super
Super is a tool that can be used to give users and groups varied levels of access for system administration. In addition to giving access to users, you can specify access time and the level of access to scripts. The access level you give is critical. For example, giving setuid access to ordinary commands could create unexpected consequences. Debian ships with super, and there are rpms available in the contrib directory. This is a powerful tool, but it requires a significant amount of effort to be implemented properly. The primary distribution site for super is
ftp://ftp.ucolick.org/pub/users/will/.