Enhanced User Security
- Sudo user
- Normal user cannot run every command
- It is used for giving or allowing special permission to the normal user
- use " whereis" command to know the command exact path
- When executing, use sudo + full path of the command
- Configuration file is /etc/sudoers
- When editing use visudo which checks the syntax.
------------------------------------------------------
Permission to users
# visudo
root ALL = (ALL)
jay ALL = /usr/sbin/useradd OR // only allowing useradd command permission
jay ALL = ALL // Giving full permission
:wq
Now, change to the user jay
# su - jay
$ useradd tom // Error, Permission Denied
$ sudo /usr/sbin/useradd tom
---------------------------------------------
Permission to group
# groupadd sales
# usermod -G sales jay
# usermod -G sales dev
#visudo
%sales ALL=/usr/sbin/useradd
:wq
Now, change user to dev
# su - dev
$ sudo /usr/sbin/useradd ram
---------------------------------------
Aliases
There are two (or three) types of Alias
- User alias
- Command Alias
{- Host Alias }
------------------------------------------------------
# visudo
## Users aliases
User_Alias TESTER = jay, dev // TESTER is just a name to represent users.
## You can create different user alias and add different user to give different permission.
## Command aliases
Cmmd_Alias CMDS = /sbin/service,/sbin/fdisk // CMDS=just an name, anyname of command alias
root ALL = (ALL)
TESTER ALL = CMDS
:wq
Now, switch to user and test the access.
======================================
visodo and add the following info on the file.
# visudo
Host_Alias DBSERVERS = bardiya, nepal, udaya
User_Alias ADMINS = surya, jay, kamal
Cmnd_Alias ADMINCMDS = /usr/sbin/useradd, /usr/bin/passwd,/sbin/route
ADMINS DBSERVERS=ADMINCMDS
wq!
login as: surya
surya@192.168.10.32's password:
Last login: Fri Mar 15 00:13:01 2013 from 192.168.10.11
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel \r on an \m
If you mess with this system, you will be on big trouble.....
[surya@bardiya ~]$ sudo useradd pratic
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for surya:
[surya@bardiya ~]$ id pratic
uid=2021(pratic) gid=2021(pratic) groups=2021(pratic)
[surya@bardiya ~]$ sudo passwd pratic
Changing password for user pratic.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[surya@bardiya ~]$
- Sudo user
- Normal user cannot run every command
- It is used for giving or allowing special permission to the normal user
- use " whereis" command to know the command exact path
- When executing, use sudo + full path of the command
- Configuration file is /etc/sudoers
- When editing use visudo which checks the syntax.
------------------------------------------------------
Permission to users
# visudo
root ALL = (ALL)
jay ALL = /usr/sbin/useradd OR // only allowing useradd command permission
jay ALL = ALL // Giving full permission
:wq
Now, change to the user jay
# su - jay
$ useradd tom // Error, Permission Denied
$ sudo /usr/sbin/useradd tom
---------------------------------------------
Permission to group
# groupadd sales
# usermod -G sales jay
# usermod -G sales dev
#visudo
%sales ALL=/usr/sbin/useradd
:wq
Now, change user to dev
# su - dev
$ sudo /usr/sbin/useradd ram
---------------------------------------
Aliases
There are two (or three) types of Alias
- User alias
- Command Alias
{- Host Alias }
------------------------------------------------------
# visudo
## Users aliases
User_Alias TESTER = jay, dev // TESTER is just a name to represent users.
## You can create different user alias and add different user to give different permission.
## Command aliases
Cmmd_Alias CMDS = /sbin/service,/sbin/fdisk // CMDS=just an name, anyname of command alias
root ALL = (ALL)
TESTER ALL = CMDS
:wq
Now, switch to user and test the access.
======================================
visodo and add the following info on the file.
# visudo
Host_Alias DBSERVERS = bardiya, nepal, udaya
User_Alias ADMINS = surya, jay, kamal
Cmnd_Alias ADMINCMDS = /usr/sbin/useradd, /usr/bin/passwd,/sbin/route
ADMINS DBSERVERS=ADMINCMDS
wq!
login as: surya
surya@192.168.10.32's password:
Last login: Fri Mar 15 00:13:01 2013 from 192.168.10.11
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel \r on an \m
If you mess with this system, you will be on big trouble.....
[surya@bardiya ~]$ sudo useradd pratic
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for surya:
[surya@bardiya ~]$ id pratic
uid=2021(pratic) gid=2021(pratic) groups=2021(pratic)
[surya@bardiya ~]$ sudo passwd pratic
Changing password for user pratic.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[surya@bardiya ~]$
No comments:
Post a Comment