Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5376392
  • 博文数量: 1144
  • 博客积分: 11974
  • 博客等级: 上将
  • 技术积分: 12312
  • 用 户 组: 普通用户
  • 注册时间: 2005-04-13 20:06
文章存档

2017年(2)

2016年(14)

2015年(10)

2014年(28)

2013年(23)

2012年(29)

2011年(53)

2010年(86)

2009年(83)

2008年(43)

2007年(153)

2006年(575)

2005年(45)

分类: LINUX

2008-09-10 21:06:46

Root authorization via sudo (superuser do)

The sudo command allows a authenticated user to execute an authorized command as root.

Why use sudo?

  • Provides a way to limit root privileges
  • Provides a way to distribute root activities to users or groups of users without giving them the root password!
    • once you have root privileges you can do anything on the system
    • what if you wanted certain users to have the ability to reboot, or run backups
  • Provides an audit trail for root
  • Note: there are ways to circumvent the system.
How does it work?
  • sudo's argument is the command to be exectued as root

    $ sudo passwd jimmyt

NOTE: You can install sudo via rpm or ftp the tar file fromMost Linux vendors provide sudo in their distribution.

Logging

  • Log file locations will vary depending on how you configure sudo during install.
  • The log facility is typically either local2, auth, or authpriv.
  • RedHat 7.3 defaults to authpriv which logs to /var/log/secure.
Configuration
sudo determines whether a user is authorized to run a specific command as root by examining its configurations file, /etc/sudoers.

 

sudo config file
/etc/sudoers
sudo binary which prefaces each command,
sudo mount /mnt/distro
/usr/bin/sudo
sudo binary to edit suders file and check syntax,
sudo visudo
/usr/sbin/visudo

/etc/sudoers the sudo configuration file

  • Define aliases for users, machines, and commands
  • This makes assigning permissions much easier
sudoer aliases
  • must supply full path to commands, options can be specified
  • lists are comma separated
  • may supply users, groups or netgroups for user aliases
  • may supply hostnames, IP addresses, network/netmask pairs, or netgroups or host aliases
# User aliases
User_Alias          ADMINS=pattyo,joel
User_Alias          STUDENTS=tim,mary,jack

# Machine aliases
Host_Alias          SERVERS=ponto,oaxaca,colima
Host_Alias          SCIENCE=curie,salk,pasteur

# Command aliases
Cmnd_Alias          SHUT=/sbin/shutdown -r *
Cmnd_Alias          DUMP=/sbin/dump,/sbin/restore
Cmnd_Alias          SHELLS=/bin/sh,/bin/tcsh,/bin/bash,/bin/csh
Cmnd_Alias          PRINT=/usr/sbin/lpc,/usr/sbin/lprm

# Privileges
ADMINS              ALL=(ALL)ALL
STUDENTS            ALL,!SERVERS=(operator)SHUT,DUMP
kelly               ALL=NOPASSWD:PRINT
jimj,mikes          SCIENCE=(ALL)ALL,!SHELLS
dylan               goku=(ALL)ALL

After the aliases section (above), each permission line contains the following information

  • the user(s) who can execute the command
  • the hosts on which they can be executed
  • the commands that the user can run
  • the user or group that the command will be executed as
    • the default is root
    • not the operator example above
Explanation of Privileges in configuration file above:
    The first permission line:

    ADMINS       ALL=(ALL)ALL

    applies to the users in the alias ADMINS, pattyo and joel, on all machines, running as any user, can execute any command.

    The second permission line:

    STUDENTS     ALL,!SERVERS=(operator)SHUT,DUMP

    applies to the STUDENTS: tim, mary and jack, on all machines except the SERVERS: ponto, oaxaca and colima. They can execute the comands shutdown, dump and restore, only as the user operator.  The command line they would use would be something like this:

    $ sudo -u operator /sbin/dump 0u /dev/dha3

    The forth permission line:

    jimj,mikes   SCIENCE=(ALL)ALL,!SHELLS

    applies to the users jimj and mikes on the machines curie, salk and pasteur where they have permission to run all commands as any user except shells.

visudo because the /etc/sudoers file can get very complicated

  • The visudo command will check for syntax errors before saving the sudoers file
    • the visudo command is included with sudo
    • If there are any errors in the sudoers file, sudo won't work at all!

sudo Usage

   Example: the user kelly executing the lpc command on the server ponto:
[kelly@ponto]$ sudo /usr/sbin/lpc reread lp
lpd server pid 1184 on ponto.example.com, sending SIGHUP
   Example: the user jack trying to run the shutdown command on the server ponto:
[jack@ponto]$ sudo /sbin/shutdown -h now

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:

 #1) Respect the privacy of others.
 #2) Think before you type.

Password:

jack is not allowed to run sudo on ponto.  This incident will be reported.

Jack (see alias STUDENTS in configuration file) is excluded from all rootly privileges on the machine ponto.

Sudo vulnerabilities

  • It is easy to extend the permissions granted in the /etc/sudoers file

    Can you think of ways to circumvent the system?
     

  • If a user has been granted access to all commands except shells
  • He/she can still use vi to edit a file and then execute a shell from within vi.

     :!/bin/tcsh
     

  • The the user could make a copy of a shell and put it in an alternate directory such as his/her home directory, then use the sudo command to execute it:
[mikes@ponto]$ sudo /bin/sh
Password:
Sorry, user mikes is not allowed to execute '/bin/sh' as root on ponto.

[mikes@ponto]$ cp -p /bin/csh /tmp/csh


[mikes@ponto]$ sudo /tmp/csh


[root@ponto]$ whoami

  root

Lab: Configure the sudoers file on your systems

Check that you have the sudo rpm installed
# rpm -qa sudo
Create the group admin on your machines
# groupadd admin
Make sure that your account is in the admin group
# usermod -G admin youracct
Create a student account (if it doesn't already exist)
# useradd student
Put the student account in the additional group users
# usermod -G users student
Check the /etc/passwd and /etc/group files for your modifications
# grep admin /etc/group
# grep youracct /etc/passwd
Modify the /etc/sudoers file using the visudo command
# visudo
  1. Configure the sudoers file so that the group admin has full control of your computer
  2. Configure the sudoers file such that the users group is able to restart the printer, shutdown the machine, and mount the cdrom


 

阅读(2786) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~