Introduction
If you want to increase the security on your Linux server it is recommended to properly configure sudo !As per "wikipedia":
sudo (/ˈsuːduː/ or /ˈsuːdoʊ/) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
sudo as the advantage to allow you to run a single command with specific privileges compared to su which allows you to "switch" to another user and run all the commands in a shell as the "new user" (su means switch user).
Perhaps with sudo, you can allow a user to run administrative commands without providing the root password. User will require to type their own password every time he/she needs to run a specific command (to be precise you can configure sudo so that it maintain the authorization for a certain amount of time).
An interesting security note can be found in the manual:
Please note that sudo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent commands run from that shell are not subject to sudo's security policy. The same is true for commands that offer shell escapes (including most editors). If I/O logging is enabled, subsequent commands will have their input and/or output logged, but there will not be traditional logs for those commands. Because of this, care must be taken when giving users access to commands via sudo to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the PREVENTING SHELL ESCAPES section in sudoers(5).
The sudo command is highly flexible and access can be restricted as tight as a single command or script, or access can be given to fully assume the root user's role, and therefore assume other user's role if desired.
Configuration
sudo is configured through the file /etc/sudoers. To edit the file you should use the "visudo" command as it will lock the file and avoid other users to modify it simultaneously.A simple way to configure sudo is to allow a user to perform any operation as root. This essentially gives the user root permission without the need for them to know the root password. This basically is using sudo like su ... which is not what we want !!
If you really want to do so ... on CentOS 7.2 you just need to add your user to the group "wheel" as the file /etc/sudoers contains the following:
%wheel ALL=(ALL) ALL
Which means ....
the users part of the group "wheels" can execute from ALL terminals (1st ALL), acting as ALL (any) users (2nd ALL), and run ALL (any) command (3rd ALL).
So if you need more granularity ... such as allow a specific user (user1) to run a specific command (/usr/local/bin/command1) from any terminal:
user1 ALL= /usr/local/bin/command1
You can create an alias for the group of commands you want the user to be able to run:
Cmd_Alias CMD-LIST = /usr/local/bin/bin/command1, /usr/local/bin/bin/command2, /usr/local/bin/bin/command3
And apply to user1 in this way:
user1 ALL= CMD-LIST
For more information about how to customize sudoers ... have a look at the manual page !
The user environment problem
When you run sudo, your user environment variable are not used by default... you need to use the option -i to export your environment variables:sudo -i -u user1 /command
Sudo with I/O redirection
When you want a command to redirect its output to a file ... the redirection may not work if you are trying to write in a location for which you don't have permissions !These are 2 valid workarounds:
- run sudo to call a shell and use the shell option -c to run the desired command.
sudo sh -c 'find / -name sudoers 2> /dev/null'
- create a bash script and use sudo to run the script
#!/bin/sh
find / -name sudoers 2> /dev/null
sudo script_name.sh
Gving your users more time ...
Within the file /etc/sudoers you may find a line that start with:Defaults env_reset
Without any further option you allow the system to "retain" the authorization for 15 minutes. If you want to reduce/increase this time, force the user to type the password every time or allow the user to type the password just once:
Set the authorization time to 30 minutes:
Defaults env_reset,timestamp_timeout=30
Force the user to type the password every time:
Defaults env_reset,timestamp_timeout=0
Allow the user to type the password just once (not recommended):
Defaults env_reset,timestamp_timeout=-1
If you just used the sudo command and you are moving out of your desk ... I would suggest to tell sudo to forget your password:
sudo -k
No comments:
Post a Comment