Root authorization via sudo (superuser do)The sudo command allows a authenticated user to execute an authorized command as root. Why use sudo? Provides a way to limit root privileges Provides a way to distribute root activities to users or groups of users without giving them the root password! once you have root privileges you can do anything on the system what if you wanted certain users to have the ability to reboot, or run backups Provides an audit trail for root Note: there are ways to circumvent the system. How does it work? sudo's argument is the command to be exectued as root $ sudo passwd jimmyt NOTE: You can install sudo via rpm or ftp the tar file from http://www.courtesan.com/sudo. Most Linux vendors provide sudo in their distribution. Logging Log file locations will vary depending on how you configure sudo during install. The log facility is typically either local2, auth, or authpriv. RedHat 7.3 defaults to authpriv which logs to /var/log/secure. Configuration sudo determines whether a user is authorized to run a specific command as root by examining its configurations file, /etc/sudoers. sudo config file /etc/sudoers sudo binary which prefaces each command, sudo mount /mnt/distro /usr/bin/sudo sudo binary to edit suders file and check syntax, sudo visudo /usr/sbin/visudo /etc/sudoers the sudo configuration file Define aliases for users, machines, and commands This makes assigning permissions much easier sudoer aliases must supply full path to commands, options can be specified lists are comma separated may supply users, groups or netgroups for user aliases may supply hostnames, IP addresses, network/netmask pairs, or netgroups or host aliases # User aliases User_Alias ADMINS=pattyo,joel User_Alias STUDENTS=tim,mary,jack # Machine aliases Host_Alias SERVERS=ponto,oaxaca,colima Host_Alias SCIENCE=curie,salk,pasteur # Command aliases Cmnd_Alias SHUT=/sbin/shutdown -r * Cmnd_Alias DUMP=/sbin/dump,/sbin/restore Cmnd_Alias SHELLS=/bin/sh,/bin/tcsh,/bin/bash,/bin/csh Cmnd_Alias PRINT=/usr/sbin/lpc,/usr/sbin/lprm # Privileges ADMINS ALL=(ALL)ALL STUDENTS ALL,!SERVERS=(operator)SHUT,DUMP kelly ALL=NOPASSWD:PRINT jimj,mikes SCIENCE=(ALL)ALL,!SHELLS dylan goku=(ALL)ALL After the aliases section (above), each permission line contains the following information the user(s) who can execute the command the hosts on which they can be executed the commands that the user can run the user or group that the command will be executed as the default is root not the operator example above Explanation of Privileges in configuration file above: The first permission line: ADMINS ALL=(ALL)ALL applies to the users in the alias ADMINS, pattyo and joel, on all machines, running as any user, can execute any command. The second permission line: STUDENTS ALL,!SERVERS=(operator)SHUT,DUMP applies to the STUDENTS: tim, mary and jack, on all machines except the SERVERS: ponto, oaxaca and colima. They can execute the comands shutdown, dump and restore, only as the user operator. The command line they would use would be something like this: $ sudo -u operator /sbin/dump 0u /dev/dha3 The forth permission line: jimj,mikes SCIENCE=(ALL)ALL,!SHELLS applies to the users jimj and mikes on the machines curie, salk and pasteur where they have permission to run all commands as any user except shells. visudo because the /etc/sudoers file can get very complicated The visudo command will check for syntax errors before saving the sudoers file the visudo command is included with sudo If there are any errors in the sudoers file, sudo won't work at all! sudo Usage Example: the user kelly executing the lpc command on the server ponto: [kelly@ponto]$ sudo /usr/sbin/lpc reread lp lpd server pid 1184 on ponto.example.com, sending SIGHUP Example: the user jack trying to run the shutdown command on the server ponto: [jack@ponto]$ sudo /sbin/shutdown -h now We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things: #1) Respect the privacy of others. #2) Think before you type. Password: jack is not allowed to run sudo on ponto. This incident will be reported. Jack (see alias STUDENTS in configuration file) is excluded from all rootly privileges on the machine ponto. Sudo vulnerabilities It is easy to extend the permissions granted in the /etc/sudoers file Can you think of ways to circumvent the system? If a user has been granted access to all commands except shells He/she can still use vi to edit a file and then execute a shell from within vi. :!/bin/tcsh The the user could make a copy of a shell and put it in an alternate directory such as his/her home directory, then use the sudo command to execute it: [mikes@ponto]$ sudo /bin/sh Password: Sorry, user mikes is not allowed to execute '/bin/sh' as root on ponto. [mikes@ponto]$ cp -p /bin/csh /tmp/csh [mikes@ponto]$ sudo /tmp/csh [root@ponto]$ whoami root Lab: Configure the sudoers file on your systems Check that you have the sudo rpm installed # rpm -qa sudo Create the group admin on your machines # groupadd admin Make sure that your account is in the admin group # usermod -G admin youracct Create a student account (if it doesn't already exist) # useradd student Put the student account in the additional group users # usermod -G users student Check the /etc/passwd and /etc/group files for your modifications # grep admin /etc/group # grep youracct /etc/passwd Modify the /etc/sudoers file using the visudo command # visudo Configure the sudoers file so that the group admin has full control of your computer Configure the sudoers file such that the users group is able to restart the printer, shutdown the machine, and mount the cdrom |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-30 01:33 , Processed in 0.173436 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.