If you're a Unix or Linux sysadmin, you know sudo: it's that command that lets you run single commands as root from your own account, rather than logging in as root. And if you're like me, here's what you know about configuring sudo:
- Run sudoedit and uncomment the line that says "%wheel ALL=(ALL) ALL".
- Make sure you're in the wheel group.
Okay, so you can now run any command as root. Awesome! But not everyone is as careful as you are (or at least, as you like to think you are). If you're a sysadmin, you need to stop people from shooting themselves in the foot. (Might also want to stop yourself from self-inflicted gunshot wounds.) There should be some way of restricting use, right? Just gotta check out the man page.... And that's where I stopped, every time. I've yet to truly understand Extended Backus-Naur Form (sue me), and my eyes would glaze over. And so I'd go back to putting some small number of people in the "wheel" group, and letting them run sudo, and cleaning up the occasional mess afterward.
Fortunately, Michael W. Lucas has written "Sudo Mastery: User Access Control for Real People". If his name sounds familiar, there's a reason for that: he's been cranking out excellent technical books for a long time, on everything from FreeBSD to Cisco routers to DNSSEC. He just, like, does this: he takes deep, involved subjects that you don't even know you need to know more about, and he makes them understandable. It's a good trick, and we're lucky he's turned his attention to sudo.
The book clocks in at 144 pages (print version), and it's packed with information from start to finish. Lucas starts with the why and how of sudo, explaining why you need to know it and how sudo protects you. He moves on to the syntax; it's kind of a bear at first, but Chapter 2, "sudo and sudoers", takes care of that nicely. Have you locked yourself out of sudo with a poor edit? I have; I've even managed to do it on many machines, all at once, by distributing that edit with CFEngine. Lucas covers this in Chapter 3, "Editing and Testing Sudoers", a chapter that would have saved my butt. By the time you've added a few entries, you're probably ready for Chapter 4, "Lists and Aliases".
sudo has lots of ways to avoid repeating yourself, and I picked up a few tricks from this chapter I didn't know about — including that sudo can run commands as users other than root. Need to restart Tomcat as the tomcat user? There's a sudoers line for that. I'm ashamed to admit that I didn't know this.
There is a lot more in this book, too. You can override sudo defaults for different commands or users (you can change the lecture text; maybe sometimes there *is* a technical solution for a social problem...). You can stuff sudo directives into LDAP and stop copying files around. You can edit files with sudoedit. You can record people's sudo commands, and play them back using sudoreplay. The list goes on.
Sounds like a lot, doesn't it? It is. But the book flies by, because Lucas is a good writer: he packs a lot of information into the pages while remaining engaging and funny. The anecdotes are informative, the banter is witty, and there's no dry or boring to be found anywhere.
Shortcomings: Maybe you don't like humour in your tech books; if so, you could pass this up, but man, you'd be missing out. There wasn't an index in the EPUB version I got, which I always miss. Other than that: I'm mad Lucas didn't write this book ten years ago.
Score: 10 out of 10. If you're a Linux or Unix sysadmin, you need this book; it's just that simple.
Where to buy:
- You can buy the ebook version from Lucas himself.
- You can also buy the ebook or a dead-tree version from Amazon.com.
Link to Original Source