sudo is a package which will allow priveleged users to run commands as other users. This is sort of like assigning users(delegation) to different groups to give them special permissions to files. However, this can allow users acccess to specific commands on specific machines, making it a more effective and more organized way of giving special priveleges to users.
It is often a server needs to be administered by a number of people and it is not a good idea for all them to use root account.This is because it becomes difficult to determine exactly who did what,when and where if everyone logs in with the same credentials.The sudo utility was designed to overcome this facility.
The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work.
Format of /etc/sudoers file
"usernames/group" "Run on Host" = "Run command as" "Comma separated list of commands"
There are some general guidelines when editing this file:
This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter is on the team developing a financial package that runs a program called monthend as user accounts. From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:
In the next example, users peter, bob and bunny and all the users in the operator group are made part of the user alias ADMINS. All the command shell programs are then assigned to the command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS commands and su:
It is often a server needs to be administered by a number of people and it is not a good idea for all them to use root account.This is because it becomes difficult to determine exactly who did what,when and where if everyone logs in with the same credentials.The sudo utility was designed to overcome this facility.
The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work.
Format of /etc/sudoers file
"usernames/group" "Run on Host" = "Run command as" "Comma separated list of commands"
There are some general guidelines when editing this file:
- Groups are the same as user groups and are differentiated from regular users by a % at the beginning. E.g., Linux user group "users" would be represented by %users.
- You can have multiple usernames per line separated by commas.
- Multiple commands also can be separated by commas. Spaces are considered part of the command.
- Keyword ALL can mean all usernames, groups, commands and servers.
- If you run out of space on a line, you can end it with a back slash (\) and continue on the next line.
- sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it in the "Run on Host" position. In most cases, the file is used by only one server and the keyword ALL suffices for the Host name.
- The NOPASSWD keyword provides access without prompting for your password.
Granting All Access to Specific Users
You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.bob, bunny ALL=(ALL) ALL
This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob Granting Access To Specific Users To Specific Files
This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl
Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example. Granting Access to Specific Files as Another User
The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter is on the team developing a financial package that runs a program called monthend as user accounts. From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:
peter ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill
User peter is allowed to stop the monthend process with this command: [peter@bigboy peter]# sudo -u accounts pkill monthend
Granting Access Without Needing Passwords
This example allows all users in the group operator to execute all the commands in the /sbin directory without the need for entering a password. This has the added advantage of being more convenient to the user:%operator ALL= NOPASSWD: /sbin/
Using Aliases in the sudoers File
Sometimes you'll need to assign random groupings of users from various departments very similar sets of privileges. The sudoers file allows users to be grouped according to function with the group and then being assigned a nickname or alias which is used throughout the rest of the file. Groupings of commands can also be assigned aliases too.In the next example, users peter, bob and bunny and all the users in the operator group are made part of the user alias ADMINS. All the command shell programs are then assigned to the command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS commands and su:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
/usr/bin/ksh, /usr/local/bin/tcsh, \
/usr/bin/rsh, /usr/local/bin/zsh
User_Alias ADMINS = peter, bob, bunny, %operator
ADMINS ALL = !/usr/bin/su, !SHELLS
This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy. 
No comments:
Post a Comment