Root authorization via sudo (superuser do)

The sudo command allows a authenticated user to execute an authorized command as root.

Why use sudo?

Provides a way to limit root privileges
Provides a way to distribute root activities to users or groups of users without giving them the root password!

once you have root privileges you can do anything on the system
what if you wanted certain users to have the ability to reboot, or run backups

Provides an audit trail for root
Note: there are ways to circumvent the system.

How does it work?

sudo's argument is the command to be exectued as root

$ sudo passwd jimmyt

NOTE: You can install sudo via rpm or ftp the tar file from http://www.courtesan.com/sudo. Most Linux vendors provide sudo in their distribution.

Logging

Log file locations will vary depending on how you configure sudo during install.
The log facility is typically either local2, auth, or authpriv.
RedHat 7.3 defaults to authpriv which logs to /var/log/secure.

Configuration

sudo determines whether a user is authorized to run a specific command as root by examining its configurations file, /etc/sudoers.

sudo config file

/etc/sudoers

sudo binary which prefaces each command,
sudo mount /mnt/distro

/usr/bin/sudo

sudo binary to edit suders file and check syntax,
sudo visudo

/usr/sbin/visudo

`/etc/sudoers` the sudo configuration file

Define aliases for users, machines, and commands
This makes assigning permissions much easier

sudoer aliases

must supply full path to commands, options can be specified
lists are comma separated
may supply users, groups or netgroups for user aliases
may supply hostnames, IP addresses, network/netmask pairs, or netgroups or host aliases

# User aliases
User_Alias ADMINS=pattyo,joel
User_Alias STUDENTS=tim,mary,jack

# Machine aliases
Host_Alias SERVERS=ponto,oaxaca,colima
Host_Alias SCIENCE=curie,salk,pasteur

# Command aliases
Cmnd_Alias          SHUT=/sbin/shutdown -r *
Cmnd_Alias          DUMP=/sbin/dump,/sbin/restore
Cmnd_Alias          SHELLS=/bin/sh,/bin/tcsh,/bin/bash,/bin/csh
Cmnd_Alias          PRINT=/usr/sbin/lpc,/usr/sbin/lprm

# Privileges
ADMINS              ALL=(ALL)ALL
STUDENTS            ALL,!SERVERS=(operator)SHUT,DUMP
kelly               ALL=NOPASSWD:PRINT
jimj,mikes          SCIENCE=(ALL)ALL,!SHELLS
dylan               goku=(ALL)ALL

After the aliases section (above), each permission line contains the following information

the user(s) who can execute the command
the hosts on which they can be executed
the commands that the user can run
the user or group that the command will be executed as

the default is root
not the operator example above

Explanation of Privileges in configuration file above:

The first permission line:

ADMINS ALL=(ALL)ALL

applies to the users in the alias ADMINS, pattyo and joel, on all machines, running as any user, can execute any command.

The second permission line:

STUDENTS ALL,!SERVERS=(operator)SHUT,DUMP

applies to the STUDENTS: tim, mary and jack, on all machines except the SERVERS: ponto, oaxaca and colima. They can execute the comands shutdown, dump and restore, only as the user operator. The command line they would use would be something like this:

$ sudo -u operator /sbin/dump 0u /dev/dha3

The forth permission line:

jimj,mikes SCIENCE=(ALL)ALL,!SHELLS

applies to the users jimj and mikes on the machines curie, salk and pasteur where they have permission to run all commands as any user except shells.

visudo because the /etc/sudoers file can get very complicated

The visudo command will check for syntax errors before saving the sudoers file

the visudo command is included with sudo
If there are any errors in the sudoers file, sudo won't work at all!

sudo Usage

Example: the user kelly executing the lpc command on the server ponto:

[kelly@ponto]$ sudo /usr/sbin/lpc reread lp
lpd server pid 1184 on ponto.example.com, sending SIGHUP

Example: the user jack trying to run the shutdown command on the server ponto:

[jack@ponto]$ sudo /sbin/shutdown -h now
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:

jack is not allowed to run sudo on ponto. This incident will be reported.

Jack (see alias STUDENTS in configuration file) is excluded from all rootly privileges on the machine ponto.

Sudo vulnerabilities

It is easy to extend the permissions granted in the /etc/sudoers file

Can you think of ways to circumvent the system?

If a user has been granted access to all commands except shells
He/she can still use vi to edit a file and then execute a shell from within vi.

<Esc>:!/bin/tcsh

The the user could make a copy of a shell and put it in an alternate directory such as his/her home directory, then use the sudo command to execute it:

[mikes@ponto]$ sudo /bin/sh
Password:
Sorry, user mikes is not allowed to execute '/bin/sh' as root on ponto.
[mikes@ponto]$ cp -p /bin/csh /tmp/csh
[mikes@ponto]$ sudo /tmp/csh
[root@ponto]$ whoami
root

Lab: Configure the sudoers file on your systems

Check that you have the sudo rpm installed

# rpm -qa sudo

Create the group admin on your machines

# groupadd admin

Make sure that your account is in the admin group

# usermod -G admin youracct

Create a student account (if it doesn't already exist)

# useradd student

Put the student account in the additional group users

# usermod -G users student

Check the /etc/passwd and /etc/group files for your modifications

# grep admin /etc/group
# grep youracct /etc/passwd

Modify the /etc/sudoers file using the visudo command

# visudo

Configure the sudoers file so that the group admin has full control of your computer
Configure the sudoers file such that the users group is able to restart the printer, shutdown the machine, and mount the cdrom