If a server needs
to be administered by a number of people it is normally not a good idea for
them all to use the root account. This is because it becomes difficult to
determine exactly who did what, when and where if everyone logs in with the
same credentials. The sudo utility was designed to overcome this difficulty.
With sudo (which stands for "superuser do"), you can delegate a limited set of administrative responsibilities to other users, who are strictly limited to the commands you allow them. sudo creates a thorough audit trail, so everything users do gets logged; if users somehow manage to do something they shouldn't have, you'll be able to detect it and apply the needed fixes. You can even configure sudo centrally, so its permissions apply to several hosts.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages.
With sudo (which stands for "superuser do"), you can delegate a limited set of administrative responsibilities to other users, who are strictly limited to the commands you allow them. sudo creates a thorough audit trail, so everything users do gets logged; if users somehow manage to do something they shouldn't have, you'll be able to detect it and apply the needed fixes. You can even configure sudo centrally, so its permissions apply to several hosts.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages.
SUDO
Sudo is a
standard way to give users some administrative rights without giving out the
root password. Sudo is very useful in a multi user environment with a mix of
server and workstations. Simply call the command with sudo:
# sudo /etc/init.d/dhcpd restart # Run the rc script as root
# sudo -u sysadmin whoami # Run cmd as an other user
Configuration
Sudo is
configured in /etc/sudoers and must only be edited with visudo. The basic
syntax is (the lists are comma separated):
user hosts = (runas) commands # In /etc/sudoers
- users one or more users or %group (like %wheel) to gain the rights
- hosts list of hosts (or ALL)
- runas list of users (or ALL) that the command rule can be run as. It is enclosed in ( )!
- commands list of commands (or ALL) that will be run as root or as (runas)
Additionally
those keywords can be defined as alias, they are called User_Alias, Host_Alias,
Runas_Alias and Cmnd_Alias. This is useful for larger setups. Here a sudoers
example:
# cat /etc/sudoers
# Host aliases are subnets or
hostnames.
Host_Alias DMZ
= 212.118.81.40/28
Host_Alias DESKTOP = work1, work2
# User aliases are a list of users
which can have the same rights
User_Alias ADMINS
= colin, luca, admin
User_Alias DEVEL
= joe, jack, julia
Runas_Alias DBA
= oracle,pgsql
# Command aliases define the full path
of a list of commands
Cmnd_Alias SYSTEM
= /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/
Cmnd_Alias PW
= /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!
Cmnd_Alias DEBUG
= /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
# The actual rules
root,ADMINS ALL
= (ALL) NOPASSWD: ALL # ADMINS
can do anything w/o a password.
DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops
DEVEL DMZ
= (ALL) NOPASSWD: DEBUG #
Developers can debug the DMZ servers.
# User sysadmin can mess around in the
DMZ servers with some commands.
sysadmin DMZ
= (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ.
%dba ALL
= (DBA) ALL # Group
dba can run as database user.
# anyone can mount/unmount a cd-rom on
the desktop machines
ALL DESKTOP = NOPASSWD: /sbin/mount
/cdrom,/sbin/umount /cdrom
EX:
Configuring sudo and adding users
to Wheel group
The sudo configuration file is /etc/sudoers. We should never edit this file manually. Instead, use the visudo command: # visudo
This protects from conflicts (when two admins edit this file at the same time) and guarantees that the right syntax is used (the permission bits are correct). The program uses Vi text editor.
All Access to Specific Users
You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.
Root AL=(ALL) ALL
user1,user ALL=(ALL) ALL
user1,user ALL=(ALL) ALL
This is generally not a good idea because this allows user1 and user2 to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo.
Access To Specific Users To Specific Files
This entry allows user1 and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/apps/check.pl.
user1, %operator ALL= /sbin/, /usr/sbin, /usr/apps/check.pl
Access to Specific Files as Another User
user1 ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill
Access Without Needing Passwords
This example allows all users in the group operator to execute all the commands in the /sbin directory without the need for entering a password.
%operator ALL= NOPASSWD: /sbin/
Adding users to the wheel group
The wheel group is a legacy from UNIX. When a server had to be maintained at a higher level than the day-to-day system administrator, root rights were often required. The 'wheel' group was used to create a pool of user accounts that were allowed to get that level of access to the server. If you weren't in the 'wheel' group, you were denied access to root.
Edit the configuration file (/etc/sudoers) with visudo and change these lines:
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
To this (as recommended):
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
This will allow anyone in the wheel group to execute commands using sudo (rather than having to add each person one by one).
Now finally use the following command to add any user (e.g- user1) to Wheel group
# usermod -G10 user1
No comments:
Post a Comment