首页　| 　博文目录　| 　关于我

博客访问： 5287965
博文数量： 1144
博客积分： 11974
博客等级：上将
技术积分： 12312
用户组：普通用户
注册时间： 2005-04-13 20:06

文章分类

全部博文（1144）

技术--Oracle&MyS（112）
编程--python编程（21）
编程--perl程序（183）
技术--防火墙类（9）
技术--samba类（7）
技术--apache类（18）
技术--netfilter（7）
工作--工作??（62）
生活--情感生活（116）
学习--英语学习（24）
学习--早先日志（46）
工作--周报总结（36）
学习--学习笔记（45）
技术--Rsync维护（11）
技术--OPENldap（1）
技术--squid维护（9）
技术--DNS 维护（17）
技术--FTP 维护（7）
技术--qmail维护（128）
技术--网络技术（26）
技术--linux 类（183）

openvpn（0）

nagios（10）
编程--awk&sed（11）
编程--shell编程（50）
未分配的博文（15）

文章存档

2017年（2）

2016年（14）

2015年（10）

2014年（28）

2013年（23）

2012年（29）

2011年（53）

2010年（86）

2009年（83）

2008年（43）

2007年（153）

2006年（575）

2005年（45）

我的朋友

Root authorization via sudo (superuser do)

The sudo command allows a authenticated user to execute an authorized command as root.

Why use sudo?

Provides a way to limit root privileges
Provides a way to distribute root activities to users or groups of users without giving them the root password!
- once you have root privileges you can do anything on the system
- what if you wanted certain users to have the ability to reboot, or run backups
Provides an audit trail for root
Note: there are ways to circumvent the system.

How does it work?

sudo's argument is the command to be exectued as root
$ sudo passwd jimmyt

NOTE: You can install sudo via rpm or ftp the tar file fromMost Linux vendors provide sudo in their distribution.

Logging

Log file locations will vary depending on how you configure sudo during install.
The log facility is typically either local2, auth, or authpriv.
RedHat 7.3 defaults to authpriv which logs to /var/log/secure.

Configuration

sudo determines whether a user is authorized to run a specific command as root by examining its configurations file, /etc/sudoers.

sudo config file

/etc/sudoers

sudo binary which prefaces each command,
sudo mount /mnt/distro

/usr/bin/sudo

sudo binary to edit suders file and check syntax,
sudo visudo

/usr/sbin/visudo

`/etc/sudoers` the sudo configuration file

Define aliases for users, machines, and commands
This makes assigning permissions much easier

sudoer aliases

must supply full path to commands, options can be specified
lists are comma separated
may supply users, groups or netgroups for user aliases
may supply hostnames, IP addresses, network/netmask pairs, or netgroups or host aliases

# User aliases
User_Alias ADMINS=pattyo,joel
User_Alias STUDENTS=tim,mary,jack

# Machine aliases
Host_Alias SERVERS=ponto,oaxaca,colima
Host_Alias SCIENCE=curie,salk,pasteur

# Command aliases
Cmnd_Alias          SHUT=/sbin/shutdown -r *
Cmnd_Alias          DUMP=/sbin/dump,/sbin/restore
Cmnd_Alias          SHELLS=/bin/sh,/bin/tcsh,/bin/bash,/bin/csh
Cmnd_Alias          PRINT=/usr/sbin/lpc,/usr/sbin/lprm

# Privileges
ADMINS              ALL=(ALL)ALL
STUDENTS            ALL,!SERVERS=(operator)SHUT,DUMP
kelly               ALL=NOPASSWD:PRINT
jimj,mikes          SCIENCE=(ALL)ALL,!SHELLS
dylan               goku=(ALL)ALL

After the aliases section (above), each permission line contains the following information

the user(s) who can execute the command
the hosts on which they can be executed
the commands that the user can run
the user or group that the command will be executed as
- the default is root
- not the operator example above

Explanation of Privileges in configuration file above:

The first permission line:

ADMINS ALL=(ALL)ALL

applies to the users in the alias ADMINS, pattyo and joel, on all machines, running as any user, can execute any command.

The second permission line:

STUDENTS ALL,!SERVERS=(operator)SHUT,DUMP

applies to the STUDENTS: tim, mary and jack, on all machines except the SERVERS: ponto, oaxaca and colima. They can execute the comands shutdown, dump and restore, only as the user operator. The command line they would use would be something like this:

$ sudo -u operator /sbin/dump 0u /dev/dha3

The forth permission line:

jimj,mikes SCIENCE=(ALL)ALL,!SHELLS

applies to the users jimj and mikes on the machines curie, salk and pasteur where they have permission to run all commands as any user except shells.

visudo because the /etc/sudoers file can get very complicated

The visudo command will check for syntax errors before saving the sudoers file
- the visudo command is included with sudo
- If there are any errors in the sudoers file, sudo won't work at all!

sudo Usage

Example: the user kelly executing the lpc command on the server ponto:

[kelly@ponto]$ sudo /usr/sbin/lpc reread lp
lpd server pid 1184 on ponto.example.com, sending SIGHUP

Example: the user jack trying to run the shutdown command on the server ponto:

[jack@ponto]$ sudo /sbin/shutdown -h now
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:

jack is not allowed to run sudo on ponto. This incident will be reported.

Jack (see alias STUDENTS in configuration file) is excluded from all rootly privileges on the machine ponto.

Sudo vulnerabilities

It is easy to extend the permissions granted in the /etc/sudoers file
Can you think of ways to circumvent the system?
If a user has been granted access to all commands except shells
He/she can still use vi to edit a file and then execute a shell from within vi.
:!/bin/tcsh
The the user could make a copy of a shell and put it in an alternate directory such as his/her home directory, then use the sudo command to execute it:

[mikes@ponto]$ sudo /bin/sh
Password:
Sorry, user mikes is not allowed to execute '/bin/sh' as root on ponto.
[mikes@ponto]$ cp -p /bin/csh /tmp/csh
[mikes@ponto]$ sudo /tmp/csh
[root@ponto]$ whoami
root

Lab: Configure the sudoers file on your systems

Check that you have the sudo rpm installed

# rpm -qa sudo

Create the group admin on your machines

# groupadd admin

Make sure that your account is in the admin group

# usermod -G admin youracct

Create a student account (if it doesn't already exist)

# useradd student

Put the student account in the additional group users

# usermod -G users student

Check the /etc/passwd and /etc/group files for your modifications

# grep admin /etc/group
# grep youracct /etc/passwd

Modify the /etc/sudoers file using the visudo command

# visudo

Configure the sudoers file so that the group admin has full control of your computer
Configure the sudoers file such that the users group is able to restart the printer, shutdown the machine, and mount the cdrom

阅读(2691) | 评论(0) | 转发(0) |

上一篇：ssh 暴力攻击使用pam_abl防止SSH遭暴力破解攻击

下一篇：Date::Manip

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6