Learn howto secure your system and limit user access using sudo configuration. It helps to restrict superuser privileges of normal user for specific command
Many times there is a requirement where a normal user on system needs superuser privileges to run some commands. There are options to this situation which are like sharing password of superuser account so user can su to that user or declaring UID 0 to user making him superuser himself. Both options opens pandora box to user granting him limitless power on system. This is dangerous and not at all a good practice to compromise whole system for few commands. Alternative is sudo !
What is sudo ?
Sudo stands for ‘superuser do’. Sudo grants superuser (or other user’s) privileges to another user for specific/all commands. Normally sudo used to grant superuser privileges to other user hence ‘superuser do’ stands perfect for it. Beauty of sudo is you can define user access command wise. So that user is restricted to only defined commands and your system is secured from user doing stuff with root privileges without your knowledge.
Sudo configuration :
Lets see sudo configuration step by step. Here we will assign user usr5
sudo permission to execute apache bounce commands.
First of all, you need to check if sudo package is installed on your system or not.
# rpm -qa |grep sudo (RHEL, CentOS, Fedora) sudo-1.6.7p5-30.1.5 # dpkg -s sudo (Debian, Ubuntu) Package: sudo Status: install ok installed Priority: optional ---- output clipped ----
If not installed, then install it using yum or apt depending on your Linux distro.
Once installed, you will be able to edit
/etc/sudoers file which is sudo configuration file. This is plain text file which can be opened using vi editor. But its recommended to edit it using
visudo command opens
/etc/sudoers file safely and maintains integrity of file. Its the same way vipw command safely edits /etc/passwd file.
# cat /etc/sudoers # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
See above sample sudoers file.
We will see each section of this file one by one:
1: Host alias specification –
Host alias is a list of one or more hostnames, IP addresses, network numbers or netgroups. This alias is defined so that group of hosts can be defined in configuration with single name.
Host_Alias SERVERS = 10.10.5.1, 10.10.5.2, testsrv1, testsrv3 Host_Alias NETWORK = 192.168.0.0/255.255.255.0
In above example we are defining
SERVERS alias for 4 machines declared using IP or hostname. So any sudo settings defined for
SERVERS will be applicable for all 4 machines. This saves hassle to write all 4 machine details in each and every time in settings, only writing
SERVERS will serve the purpose. Also, alias
NETWORK for the range defined.
2: User alias specification –
User alias is list of one or more users, groups, uids etc.
User_Alias ADMINS = %admin User_Alias USERS = user4, oracle65, testuser, #4523
In above example all users under system group admin are covered under alias
ADMINS. Also we defined
USERS alias for 4 machine users. #4523 indicates user with uid 4523.
3: Cmnd alias specification –
Its a list of commandnames, files or directories. Commandnames includes is complete command with wildcards support.
Cmnd_Alias ADMIN_CMDS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod Cmnd_Alias APACHE_CMDS = /etc/init.d/apache2
In above examples we defined
APACHE_CMDS aliases for list of commands listed in front of them.
4: User privilege section –
Here actual sudo setting for a user defined. Line
root ALL=(ALL) ALL indicates, account root can execute any commands from any hosts as any user. If we want to define usr5 to execute apache commands then line will be –
usr5 ALL=(ALL) NOPASSWD: APACHE_CMDS
Here usr5 is allowed to run commands defined under alias
APACHE_CMDS without password from all hosts. If
NOPASSWD is not mentioned, user will be prompted for his own password again before executing command like below (RHEL).
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for <user>:
5: Run_as alias –
Here you define list of users. This alias is used to run a command as a different user.
Here are few examples to understand how config file works :
ADMINS ALL= /sbin/poweroff
ADMINS users to run poweroff command from any host.
%users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
Allows users under group ‘users’ to mount and unmount
/cdrom from any host.
testuser SERVERS=(root) ADMIN_CMDS
Allows user ‘
testuser‘ to run commands defined under
ADMIN_CMDS from hosts defined user
SERVERS as user root.
testuser ALL=(ALL) NOPASSWD: /usr/bin/su -
Allows user ‘
testuser‘ to run command
su - without any password. This is example how to add commands with arguments in sudo configuration.
Allow user to run commands with its own password.
sudo will asks password of same user before executing
su. You need to un-comment above parameter in