Sunday, 3 August 2014

Sudo OverView


   Sudo An Overview

File : /etc/sudoers
Cmd  :  visudo

sudo allows a permitted user to execute a command as the superuser.

The sudo utility enables the users mentioned in configuration file sudoers to have temporary access to run certain commands as the “root” or any other user.

Whenever sudo command is executed by a user, it reads the sudoers file to check whether the user is permitted to run this command.

To edit the sudo parameters in sudoers file, command visudo should only be used due to the following reasons:

• Sudoers file might not have the same location on all versions of Linux.

• Visudo checks the syntax in sudoers file after saving it and will prompt for errors.

• It gives the option to reject the changes or re-edit the file

• It prevents two users from editing the file at the same time

The visudo command should be run as root
# visudo

 Syntax For sudo in sudoers file

General sudoers file record format: 

user   MACHINE=COMMANDS

user/group hostname = (runasuser) command(s)

root    ALL=(ALL)       ALL

Here,
• user/group is the name of the user or group for which sudo privileges are defined.

• hostname is a list of terminals from where user can use sudo.

• runasuser is the name of user which the sudo user is trying to act as, and must be enclosed in ( ).

• Command(s) is a list of commands that this user can execute. Complete path of the command must be specified.

# visudo

root ALL=(ALL) ALL ---- instead of root user we are adding a
   normal user to run this below command in his terminal.

jeff ALL=/etc/httpd reload

User jeff can reload httpd from any terminal

# sudo /etc/init.d/httpd reload
sudo] password for jeffin:
Reloading httpd:

We can also create aliases for:
• users/groups: User_Alias 
• run comands as other users: Runas_Alias
• hostname: Host_Alias
• command: Cmnd_Alias

Eg:
User_Alias USER = user1, user2
Runas_Alias PRIVUSER = root, jeff
Host_Alias SEGMENT = 192.168.1.0/24
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

Check the following example for Aliasing. For a particular user to run particular commands.

1. create a user alias
## User Aliases
User_Alias ADMINS = jeffin

2. Create a command alias
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk -l

3. Now add those into user privilage specifications,

ADMINS All=STORAGE

if we give like below one, it will through as an error,

jeffin ALL=STORAGE
user/group hostname = (runasuser) command(s)

ERROR: # visudo
visudo: Warning: Runas_Alias `ADMINS' referenced but not defined
visudo: Warning: unused User_Alias ADMINS

insted of the user name give User_Alias name here

Solution: jeffin ALL=STORAGE this is wrong as we mentioned User_Alias above. So re-wright it as,

ADMINS ALL=STORAGE

ADMINS ALL=NOPASSWD:STORAGE  ----------> If we give NOPASSWD we can run our commands without using our password, or else it will ask for your password.

Here ADMINS and STORAGE are user alias

4. From user side you can check for what all commands you have the permission to run. First switch as that user and use the below command,

$ sudo -l
User jeffin may run the following commands on this host:
    (root) /etc/init.d/httpd reload
    (root) /sbin/fdisk -l

5. switch as that user and run that command ( fdisk -l) to show the result. make sure you run this with sudo

# sudo /sbin/fdisk -l

Disk /dev/sda: 33.3 GB, 33285996544 bytes
255 heads, 63 sectors/track, 4046 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000ac2fa

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          39      307200   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              39         557     4161536   82  Linux swap / Solaris
Partition 2 does not end on cylinder boundary.
/dev/sda3             557        4047    28036096   83  Linux


Remember this:
• The runasuser token is optional and defaults to root if not included.

• Groups are specified in sudoers file by prefixing the group name with %.

• There can be multiple usernames in a line separated by commas.

• Multiple commands should also be separated by commas. Spaces are considered a part of the command.

• The name of alias should be in capital letters; otherwise it would give a syntax error. 

• If the space in a line gets over, we can put a back slash (\) and continue on the next line.

• While running a sudo command, the user will be prompted for its own password, not the password of the user it is trying to act as.

 Giving privileges for a group

1. Create a group jeep

# groupadd jeep

2. Create and add users into that group

# useradd -g jeep jeff
# useradd -g jeep jomy

3. ## Allows people in group jeep to run commands specified in the cmd-alias STORAGE

%jeep ALL=STORAGE

Here STORAGE is user alias

4. Switch as that user and run

# sudo -l
# sudo /sbin/fdisk -l


 How to gain root privileges for a normal user

By using su - command, a user can login as root after entering root’s password.

But by specifying root privileges for a user in sudoers, it doesn't need to know root password to login as root for that session.

 -- 'su' Substitute User

# su -
# su - root
$ su - root -c "ls -l /root"

 To use a privilege of another user

# sudo -u <user to run command as> <command>

If you want to give privilages for another user give that user name in ()

jeffin ALL=(jeff) /etc/init.d/httpd reload

That says that user jeffin can (using "sudo -u ") run commands as jeff.

[jeffin@localhost ~]$ sudo -u jeff /etc/init.d/httpd reload


 LogFile

By default, sudo messages are sent to syslog.

so all commands run as sudo are logged in /var/log/messages. We can create a separate sudo log file by entering the below line in sudoers file:

# visudo

#Specify default log file location

Defaults logfile=/var/log/sudolog

 Granting Access for user and group together

#granting all access to specific users and groups, separated by commas,

jeffin,%jeep ALL=/etc/init.d/httpd reload

OR

jeffin,%jeep ALL=STORAGE

(STORAGE=/etc/init.d/httpd reload)

Make sure group %jeep is mentioned only in one line. Either where we mentioned group or user.

 Granting access to users for specific files or Dir

This following entry allows user jeff to gain access to all the program files in the /sbin and /usr/sbin directories, 
along with the privilege of running the command /usr/local/src/script.sh:

jeff ALL= /sbin/, /usr/sbin, /user/local/apache/bin/run.sh 

No comments:

Post a Comment