Increased User Security With SUDO

Introduction to SUDO

In this tutorial, I am going to explaining the basic of  sudo. Using sudo, how you can allow all privileges to normal user and group.

Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.

Sudo originally stands for either “substitute user do” or “superuser do”.  Sudo allows a user to run a program as another user (most often the root user). Using sudo, users can run the administrative commands with placing “sudo” in front of the commands.

The configuration of sudo is by the /etc/sudoers file. Whatever access is provide to any user in /etc/sudoers file, that user can only those commands.

You can use “visudo” command to edit the sudoers file. Do not edit the /etc/sudoers file directly. There are two reasons for that- it prevents two users from editing the file at the same time, and it also provides limited syntax checking. Even if you are the only root user, you need the syntax checking, so use “visudo”.

Benefit of using SUDO

There are a number of benefits to use sudo:

1.) Limited user Access.

sudo allows you to specify a restricted list of commands that users can run. For Example: Admin Commands for admin users and Networking commands for network user.

2.) Ask few questions.

When you can use sudo command, The installer has fewer questions to ask.

3.) Not Remember Extra Password.

Users don’t have to remember an extra password for occasional use (i.e. the root password).

4.) Security Policy.

sudo can be setup with a much more fine-grained security policy.

5.) Logs of the actions done by users.

All commands executed by sudo users will be stored in /var/log/secure file, but stil if you want make own log file by passing an entry in /etc/sudoers file at the bottom as “Defaults logfile=/var/log/sudo.log”.

6.) No Need to shared Root Password.

The root account password does not need to be shared with everybody who needs to perform some type of administrative tasks on the system.

Configuration of sudo (/etc/sudoers file)

As I discussed above that the configuration file (/etc/sudoers) of sudo users, which is used to assign specific commands to the specific users and groups.

When you run visudo command the output will shows:

## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.

Note:  Always use visudo command to edit the configuration file of sudoers (/etc/sudoers).

As you can  see there is basically one line.

root    ALL=(ALL)     ALL

As per the manual page for sudoers.
Basically:
root = The first field indicates the username that the rule will apply to (root).
ALL = The second field “ALL” indicates that this rule applies to all hosts.
(ALL) = This Third field “ALL” indicates that the root user can run commands as all users.
ALL = The last “ALL” indicates these rules apply to all commands.

For example: The user “anil” is allowed to run useradd as root, on all hosts, without being asked for any password. (Normally sudo asks for the invokes own password)

anil      ALL=(root)  NOPASSWD: /sbin/useradd

The advantage of visudo command, while editing if there are any syntax error it will be reflected as below.

[root@server1 ~]#
[root@server1 ~]# visudo
visudo: >>> /etc/sudoers: syntax error near line 99 <<<
What now?

1.) Allow a user “sam” all privileges like root.

To assign root access to user (“sam”)  add a line as shown below.

#visudo (save the sudoers file as we save a vim file using “:wq”)

## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sam     ALL=(ALL)       NOPASSWD: ALL
## Allows members of the 'sys' group to run networking, software,

Now logging with “sam” user and run super command like useradd. Firstly try to run useradd command normally and then run  the same command using sudo before command, as shown below.

[root@server1 ~]# su - sam
Last login: Mon Sep 19 15:29:43 IST 2016 on pts/0
[sam@server1 ~]$ useradd frank
-bash: /usr/sbin/useradd: Permission denied
[sam@server1 ~]$ sudo useradd frank
[sam@server1 ~]$

NOTE: It will not ask any password for any super command. because we used NOPASSWD parameter on visudo.

2.) Allow a group “itcare” all privileges like root.

First check the members of “itcare” group and the apply root access.

#  cat /etc/group

[root@server1 ~]# tail -n 3 /etc/group
named:x:25:
amit:x:1004:
itcare:x:1005:amit,nagios,sam
[root@server1 ~]#

#visudo Edit the line as shown below.

## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
%itcare ALL=(ALL)       ALL

As you can  see there is basically one line.

%itcare        ALL=(ALL)     ALL

Basically:

%itcare = The first field indicates the group name that the rule will apply to “itcare” (% prefix).
ALL      = The second field “ALL” indicates that this rule applies to all hosts.
(ALL)   = This Third field “ALL” indicates that the “itcare” group can run commands as all users.
ALL      = The last “ALL” indicates these rules apply to all commands.

Note: In this case, the group “itcare” is allowed to run all command as root, on all hosts.

Now login as one of the user of “itcare” group try root(or super) command.

[root@server1 ~]# su - nagios
Last login: Thu Sep 15 21:48:52 IST 2016 on pts/0
[nagios@server1 ~]$ useradd frank
-bash: /usr/sbin/useradd: Permission denied
[nagios@server1 ~]$ sudo useradd frank

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for nagios:
[nagios@server1 ~]$

As shown above “nagios” user can run the super command (i.e useradd) using placing sudo in front of the command.!!!!

To learn how to allow user and group to run Specific Command as Root on linux systems, read the following article from the links below:

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz