Twitter Updates

    follow me on Twitter

    G-AVLN in front of her home

    G-AVLN in front of her home

    Mostly Unix and Linux topics. But flying might get a mention too.

    Tuesday, June 02, 2009

    Time ticket with sudo

    The sudo facility has been available in UNIX for a long time. Often as an add-on, it provides secure and highly configurable mechanism for "delegating" tasks. It is meant to step in where the basic "switch user" command, su, leaves off.

    In the sudo configuration file (/etc/sudoers) we define who can do what on which machines with whose identity. The configuration can be as complex as it is powerful, so a lot of the time administrators start with a basic facility, which specifies that a user can do every command, on every machine as any user:

    fred ALL=(ALL) ALL

    So how does that differ from login as user root in the first place? Well, with sudo you don't disseminate root's password. Users attempting to use the sudo facility will have to authenticate themselves by providing their own password (not the password of the 'target' identity!).

    Once authenticated, the user can continue executing sudo commands for a default timeout (typically 5, 10 or 15 minutes). This timeout is known as the 'time ticket'. Once the time ticket expires, the user will have to provide his/her password again.

    The default for the time ticket is not always appropriate. Depending on the job role, there may be a requirement to extend (or indeed shorten) the time ticket's length.

    To do that, edit the /etc/sudoers file (using visudo tool), and add the line into the Defaults block of instructions (it actually doesn't matter where the line ends up, the suggested location is for clarity reasons only):

    Defaults:fred timestamp_timeout = "X"

    where X stands for the number of minutes you want the time ticket to last.

    If you want for the timetickets to never expire (not really recommended - it defeats the purpose!) replace X with -1.

    You can add a line for each user you want to modify, and you can replace the user name with ALL - meaning.... all users ;-)

    No comments:

    Blog Archive