# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
The basic format of a sudoers line in the file is as follows:
user host_computer=command
The user can be an individual user or a group (prepended by a % to identify the name as a group). The host_computer is normally ALL for all hosts on the network and localhost for the local machine, but the host computer can be referenced as a subnet of any specific host. The command in the sudoers line can be ALL, a list of specific commands, or a restriction on specific commands (formed by prepending a ! to the command). A number of options are available for use with the sudoers line, and aliases can be used to simplify the assignment of privileges. Again, the sudoers man page gives the details, but here are a few examples:
If you uncomment the line, as follows
# %wheel ALL=(ALL) ALL
any user you add to the wheel group can execute any command after entering their specific password.
Suppose that you want to give user vanessa permission across the network to be able to add users with the graphical interface. You would add the following line:
vanessa ALL=/system-config-users
Or perhaps you would grant permission only on her local computer:
vanessa 192.168.1.87=/usr/bin/system-config-users
If you want to give the editor group systemwide permission with no password required to delete files, you use this:
%editors ALL=NOPASSWD: /bin/rm
If you want to give every user permission with no password required to mount the CD drive on the localhost, use the following:
ALL localhost=NOPASSWD:/sbin/mount /dev/scd0 /mnt/cdrom /sbin/umount /mnt/cdrom
It is also possible to use wildcards in the construction of the sudoers file. Aliases can be used, as well, to make it easier to define users and groups. Although the man page for sudoers contains some examples, http://www.komar.org/pres/sudo/toc.html provides illustrative notes and comments of sudo use at a large aerospace company. The sudo home page at http://www.sudo.ws/ is also a useful resource for additional explanations and examples.
The following command presents users with a list of the commands they are entitled to use:
$ sudo -l
Disk Quotas
On large systems with many users, you need to control the amount of disk space a user has access to. Disk quotas are designed for this purpose. Quotas, managed per each partition, can be set for both individual users and for groups; quotas for the group need not be as large as the aggregate quotas for the individuals in the groups.
When files are created, both a user and a group own them; ownership of the files is always part of the metadata about the files. This makes quotas based on both users and groups easy to manage.
To manage disk quotas, you must have the quota package installed on your system; it is usually installed by default. Quota management with Fedora is not enabled by default and has traditionally been enabled and configured manually by system administrators. Sysadmins use the family of quota commands, such as quotacheck to initialize the quota database files, edquota to set and edit user quotas, setquota to configure disk quotas, and quotaon or quotaoff to control the service. (Other utilities include warnquota for automatically sending mail to users over their disk-space usage limit.)
Implementing Quotas
To reiterate, quotas might not be enabled by default, even if the quota software package is installed on your system. When quotas are installed and enabled, you can see which partitions have user quotas, group quotas, or both by looking at the fourth field in the /etc/fstab file. For example, one line in /etc/fstab shows that quotas are enabled for the /home partition:
/dev/sda5 /home ext3 defaults,usrquota,grpquota 1 1
The root of the partition with quotas enabled has the files aquota.user or aquota.group in them (or both files, if both types of quotas are enabled), and the files contain the actual quotas. The permissions of these files should be 600 so that users cannot read or write to them. (Otherwise, users would change them to allow ample space for their music files and Internet art collections.) To initialize disk quotas, the partitions must be remounted. This is easily accomplished with the following:
# mount -o ro,remount partition_to_be_remounted mount_point
The underlying console tools (complete with man pages) are as follows:
> quotaon, quotaoff — Toggles quotas on a partition.
> repquota — A summary status report on users and groups.
> quotacheck — Updates the status of quotas (compares new and old tables of disk usage); it is run after fsck.
> edquota — A basic quota management command.
Manually Configuring Quotas
