What is sudo ?
Configuration file - /etc/sudoers
Sample Sudoers entry : User HOSTS= (Act as User) COMMANDS
Group : Name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
Options
Group Entries
a) %wheel ALL=(ALL) NOPASSWD: ALL
sudo (superuser do) allows a permitted user to execute
a command as the superuser or another user. It
allows a system administrator to give certain users (or groups of users)
the ability to run some (or all) commands as root while logging all commands
and arguments. Sudo operates on a per-command basis. It is not a replacement
for the shell. Features include: the ability to restrict what commands a user
may run on aper-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo command, and
the ability to use the same configuration file (sudoers) on many different
machines.
Configuration file - /etc/sudoers
Group : Name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
$ sudo cat /etc/sudoers
%admin ALL=(ALL) ALL
$ grep admin /etc/group
admin:x:115:sathiya
Defaults:lukman timestamp_timeout=0
runaspw – for root password
timestamp_timeout=0 will ask password always
NOPASSWD wont ask the password
(ALL) – as any target user
(ALL) – as any target user
ALL – can run any command
Basically:
%admin – the group named
"admin" (% prefix)
ALL= – on all hosts (if you
distribute the same sudoers file to many computers)
(ALL) – as any target user
ALL – can run any command
a) %wheel ALL=(ALL) NOPASSWD: ALL
b) %wheel
ALL=(bhr_spartan) NOPASSWD: ALL
c) %mailadmin snow,rain=(root) /usr/sbin/postfix, /usr/sbin/postsuper, /usr/bin/doveadm
b) Whoever part of Wheel group can't execute all the commands only the user bhr_spatan can execute the commands of root without any password.
c) The group mailadmin is allowed to run mail server control tools as user root on hosts named "snow" and "rain"
User Entries
a) lukman ALL = (ALL) ALL
b) lukman ALL = NOPASSWD ALL
c) nobody ALL=(root) NOPASSWD: /usr/sbin/rndc reload
a) Above are the sample entries for group. Whoever part of Wheel group can execute all the commands without any password>
b) Whoever part of Wheel group can't execute all the commands only the user bhr_spatan can execute the commands of root without any password.
c) The user nobody is allowed to run rndc reload as root, on all hosts, without being asked for any password. (Normally sudo asks for the invoker's own password.)
More About actas
steve CSNETS = (operator) /usr/local/op_commands/
The user steve may run any
command in the directory /usr/local/op_commands/ but only as user operator.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in
the WEBMASTERS User_Alias (will, wendy, and wim), may run any command as user
www (which owns the web pages) or simply su(1) to www.
To get a root shell from your user account, do the following.
$ sudo bash
Once you get the root shell, you can execute any root
command without having to enter sudo in front of it every time.
Built in commands won’t work with Sudo – Command not
found
Sudo invokes an executable as the another user, so bash
built in commands won’t work. It will give “sudo command not found” error as
shown below.
For example, umask is a bash built-in command, which will
not work when used along with sudo as shown below.
$ sudo umask
sudo: umask: command not found
Work-around: To use bash shell built-in command in sudo, first get the root shell, by doing ‘sudo bash’ and then execute the shell built in command.
To View Unauthorized Sudo command executions - /var/log/secure
When an user who doesn’t have sudo permission, tries to
execute sudo command, they’ll get following error message.
$ sudo ls /
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
Anytime this happens, it will be logged in the /var/log/secure file.
No comments:
Post a Comment