Difference between revisions of "Sudo (Italiano)"

From ArchWiki
Jump to: navigation, search
m
Line 20: Line 20:
 
By default, users will not be allowed to run sudo. See [[#Configuration]] for instructions.
 
By default, users will not be allowed to run sudo. See [[#Configuration]] for instructions.
  
== Abilitare sudo per gli utenti ==
+
== Usage ==
  
Per far sì che un utente sia un utente sudo (un "sudoer"), digitare "visudo" da root. Questo comando aprirà il file /etc/sudoers in una speciale sessione di vi. (Non editare /etc/sudoers direttamente con un editor). Per dare all'utente pieni privilegi quando lui o lei digitano "sudo" prima di un comando, aggiungere la riga seguente:
+
With sudo installed and configured, users are able to prefix commands with {{Codeline|sudo}} to run said command with superuser (or other) privileges. For example:
 +
$ sudo pacman -Syu
 +
 
 +
See the [http://www.gratisoft.us/sudo/man/sudo.html sudo manual] for more information.
 +
 
 +
== Configuration ==
 +
 
 +
The configuration file for sudo is {{Filename|/etc/sudoers}}. '''This file should not be edited directly!''' Instead, users must run the command {{Codeline|visudo}} as root, which opens a temporary copy of the configuration file in ''$EDITOR''. (If uncomfortable with ''vi'' (default), try the command {{Codeline|<nowiki>export EDITOR=nano</nowiki>}} first.)
 +
# visudo
 +
 
 +
When the file is saved, {{Codeline|visudo}} will double-check the file for syntax errors before overwriting the existing {{Filename|/etc/sudoers}} file. This safety feature exists because sudo will be rendered unusable if the configuration file contains errors.
 +
 
 +
To allow a user to gain full root privileges when he/she precedes a command with "sudo", add the following line:
 
  USER_NAME  ALL=(ALL) ALL
 
  USER_NAME  ALL=(ALL) ALL
  
dove USER_NAME è il nome utente dell'individuo.
+
Allow a user sudo access from the local machine only:
 +
USER_NAME   HOSTNAME=(ALL) ALL
  
== Abilitare il completamento con TAB per gli utenti sudo ==
+
Allow members of [[Groups|group]] wheel sudo access requiring no password:
 +
%wheel      ALL=(ALL) NOPASSWD: ALL
 +
 
 +
where USER_NAME is the user name of the individual.
 +
 
 +
A detailed {{Filename|sudoers}} example can be found [http://www.gratisoft.us/sudo/sample.sudoers here]. Otherwise, see the [http://www.gratisoft.us/sudo/man/sudoers.html sudoers manual] for detailed information.
 +
 
 +
{{note|PARTE VECCHIA DELLA TRADUZION- E Per far sì che un utente sia un utente sudo (un "sudoer"), digitare "visudo" da root. Questo comando aprirà il file /etc/sudoers in una speciale sessione di vi. (Non editare /etc/sudoers direttamente con un editor). Per dare all'utente pieni privilegi quando lui o lei digitano "sudo" prima di un comando, aggiungere la riga seguente- USER_NAME  ALL=(ALL) ALL dove USER_NAME è il nome utente dell'individuo.}}
 +
 
 +
 
 +
=== Password timeout ===
 +
 
 +
Users may wish to change the default timeout before the password expires. This is accomplished by adding following to {{Filename|/etc/sudoers}} ({{Codeline|visudo}}) for example:
 +
Defaults:USER_NAME timestamp_timeout=20
 +
 
 +
where the password expires for user USER_NAME if unused for over 20 minutes.
 +
 
 +
{{Tip|To ensure sudo always asks for a password, set the timeout to zero.}}
 +
 
 +
== Tips and tricks ==
 +
 
 +
=== Abilitare il completamento con TAB per gli utenti sudo ===
  
 
Il completamento con TAB, di default, non funzionerà quando un utente è stato aggiunto inizialmente al file dei sudoers. Ad esempio, normalmente, Marco deve soltanto digitare:
 
Il completamento con TAB, di default, non funzionerà quando un utente è stato aggiunto inizialmente al file dei sudoers. Ad esempio, normalmente, Marco deve soltanto digitare:
Line 52: Line 86:
 
  complete -cf sudo
 
  complete -cf sudo
  
 +
=== Environment variables ===
 +
 +
If you have a lot of environment variables, or you export your proxy settings via <tt>export http_proxy="..."</tt>, when using sudo these variables do not get passed to the root account unless you run sudo with the {{Codeline|-E}} option.
 +
$ sudo -E pacman -Syu
 +
 +
Because of this you may wish to add an alias in {{Filename|~/.bashrc}}:
 +
alias sudo="sudo -E"
 +
 +
Another way of fixing this would be to add in {{Filename|/etc/sudoers}}:
 +
Defaults !env_reset
 +
 +
If you want to just pass <tt>*_proxy</tt> variables, add the following:
 +
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"
 +
 +
=== Passing aliases ===
 +
 +
If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your {{Filename|~/.bashrc}} or {{Filename|/etc/bash.bashrc}}:
 +
alias sudo='sudo '
 +
 +
=== Insults ===
 +
 +
Users can configure sudo to display clever insults when an incorrect password is entered instead of printing the default "wrong password" message. Find the Defaults line in {{Filename|/etc/sudoers}} and append "insults" after a comma to existing options. The final result might look like this:
 +
#Defaults specification
 +
Defaults insults
 +
 +
To test, type {{Codeline|sudo -K}} to end the current session a let sudo ask for the password again.
 +
 +
=== Root password ===
 +
 +
Users can configure sudo to ask for the root password instead of the user password by adding "rootpw" to the Defaults line in {{Filename|/etc/sudoers}}:
 +
Defaults timestamp_timeout=0,rootpw
 +
 +
=== Disable root login ===
 +
 +
{{Warning|Arch Linux is not fine-tuned to run with a disabled root account. Users may encounter problems with this method.}}
 +
 +
With sudo installed and configured, users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password.
 +
 +
'''Ensure a user is properly configured as a sudoer ''before'' disabling the root account!'''
 +
 +
The account can be locked via {{Codeline|passwd}}:
 +
# passwd -l root
 +
 +
A similar command unlocks root.
 +
$ sudo passwd -u root
 +
 +
Alternatively, edit {{Filename|/etc/shadow}} and replace the root's encrypted password with "!":
 +
root:!:12345::::::
 +
 +
To enable root login again:
 +
$ sudo passwd root
 +
 +
==== kdesu ====
 +
 +
kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file {{Filename|/usr/share/config/kdesurc}}:
 +
[super-user-command]
 +
super-user-command=sudo
 +
 +
 +
 +
 +
{{warning| DA QUI PARTE VECCHIA EVENTUALMENTE CANCELLABILE}}
 
== Sommario ==
 
== Sommario ==
  

Revision as of 16:09, 4 May 2010

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Sudo (Italiano)#)
Note: Questo articolo è in fase di traduzione. Seguite per ora le istruzioni della versione inglese.

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.[1]

Rationale

Sudo is a secure alternative to the traditional su command. Many times the user utilizes su (substitute user) to gain root priviledges. Generally, it is considered unwise to login as root -- the superuser -- for extended periods of time. The root user enjoys complete and absolute control over the entire system, but at great risk! Simple typos can easily render a system unusable, and any applications run as root share this unfettered access.

Rather, sudo grants temporary privilege escalation for a single command (whether as root or another user); returning to the unprivileged state after completion, and rendering the system safe from unintended consequences. Additionally, sudo logs all commands and failed access attempts for security auditing.

Installazione

Per installare Sudo:

pacman -S sudo

By default, users will not be allowed to run sudo. See #Configuration for instructions.

Usage

With sudo installed and configured, users are able to prefix commands with Template:Codeline to run said command with superuser (or other) privileges. For example:

$ sudo pacman -Syu

See the sudo manual for more information.

Configuration

The configuration file for sudo is Template:Filename. This file should not be edited directly! Instead, users must run the command Template:Codeline as root, which opens a temporary copy of the configuration file in $EDITOR. (If uncomfortable with vi (default), try the command Template:Codeline first.)

# visudo

When the file is saved, Template:Codeline will double-check the file for syntax errors before overwriting the existing Template:Filename file. This safety feature exists because sudo will be rendered unusable if the configuration file contains errors.

To allow a user to gain full root privileges when he/she precedes a command with "sudo", add the following line:

USER_NAME   ALL=(ALL) ALL

Allow a user sudo access from the local machine only:

USER_NAME   HOSTNAME=(ALL) ALL

Allow members of group wheel sudo access requiring no password:

%wheel      ALL=(ALL) NOPASSWD: ALL

where USER_NAME is the user name of the individual.

A detailed Template:Filename example can be found here. Otherwise, see the sudoers manual for detailed information.

Note:
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.


Password timeout

Users may wish to change the default timeout before the password expires. This is accomplished by adding following to Template:Filename (Template:Codeline) for example:

Defaults:USER_NAME timestamp_timeout=20

where the password expires for user USER_NAME if unused for over 20 minutes.

Tip: To ensure sudo always asks for a password, set the timeout to zero.

Tips and tricks

Abilitare il completamento con TAB per gli utenti sudo

Il completamento con TAB, di default, non funzionerà quando un utente è stato aggiunto inizialmente al file dei sudoers. Ad esempio, normalmente, Marco deve soltanto digitare:

fir<TAB>

e la shell completerà il comando come segue:

firefox

Se, comunque, Marco fosse aggiunto al file dei sudoers e digitasse:

sudo fir<TAB>

la shell non farebbe niente.

Se si utilizza il completamento programmabile della bash, si devono decommentare le seguenti righe nel file /etc/bash_completion:

# user commands see only users
complete -u su usermod userdel passwd chage write chfn groups slay w
# group commands see only groups
[ -n "$bash205" ] && complete -g groupmod groupdel newgrp 2>/dev/null

Altrimenti aggiungere la seguente riga al proprio ~/.bashrc (solo se non si è modificato il file bash_completion perché sovrascrive le impostazioni per sudo):

complete -cf sudo

Environment variables

If you have a lot of environment variables, or you export your proxy settings via export http_proxy="...", when using sudo these variables do not get passed to the root account unless you run sudo with the Template:Codeline option.

$ sudo -E pacman -Syu

Because of this you may wish to add an alias in Template:Filename:

alias sudo="sudo -E"

Another way of fixing this would be to add in Template:Filename:

Defaults !env_reset

If you want to just pass *_proxy variables, add the following:

Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"

Passing aliases

If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your Template:Filename or Template:Filename:

alias sudo='sudo '

Insults

Users can configure sudo to display clever insults when an incorrect password is entered instead of printing the default "wrong password" message. Find the Defaults line in Template:Filename and append "insults" after a comma to existing options. The final result might look like this:

#Defaults specification
Defaults insults

To test, type Template:Codeline to end the current session a let sudo ask for the password again.

Root password

Users can configure sudo to ask for the root password instead of the user password by adding "rootpw" to the Defaults line in Template:Filename:

Defaults timestamp_timeout=0,rootpw

Disable root login

Warning: Arch Linux is not fine-tuned to run with a disabled root account. Users may encounter problems with this method.

With sudo installed and configured, users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password.

Ensure a user is properly configured as a sudoer before disabling the root account!

The account can be locked via Template:Codeline:

# passwd -l root

A similar command unlocks root.

$ sudo passwd -u root

Alternatively, edit Template:Filename and replace the root's encrypted password with "!":

root:!:12345::::::

To enable root login again:

$ sudo passwd root

kdesu

kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file Template:Filename:

[super-user-command]
super-user-command=sudo



Warning: DA QUI PARTE VECCHIA EVENTUALMENTE CANCELLABILE

Sommario

Per sintetizzare, le seguenti impostazioni soddisfano la maggior parte delle esigenze, dove USER_NAME è il nome utente dell'individuo:

1. pacman -S sudo
2. aggiungere "USER_NAME   ALL=(ALL) ALL" al file /etc/sudoers utilizzando il comando "visudo"
3. aggiungere "complete -cf sudo" al file /home/USER_NAME/.bashrc

Vedi anche