Saturday, February 15, 2014

Configure SUDO

Enhanced User Security

- Sudo user
- Normal user cannot run every command
- It is used for giving or allowing special permission to the normal user
- use " whereis" command to know the command exact path
- When executing, use sudo + full path of the command
- Configuration file is /etc/sudoers
- When editing use visudo which checks the syntax.
------------------------------------------------------


Permission to users
# visudo
  root ALL = (ALL)
  jay  ALL = /usr/sbin/useradd  OR    // only allowing useradd command permission
  jay ALL = ALL                // Giving full permission
  :wq

Now, change to the user jay
# su - jay
$ useradd tom                // Error, Permission Denied
$ sudo /usr/sbin/useradd tom
---------------------------------------------

Permission to group
# groupadd sales
# usermod -G sales jay
# usermod -G sales dev
#visudo
  %sales    ALL=/usr/sbin/useradd
  :wq

Now, change user to dev

# su - dev
$ sudo /usr/sbin/useradd ram
---------------------------------------

Aliases

There are two (or three) types of Alias
- User alias
- Command Alias
{- Host Alias }
------------------------------------------------------

# visudo
  ## Users aliases
  User_Alias  TESTER = jay, dev        // TESTER is just a name to represent users.
  ## You can create different user alias and add different user to give different permission.
  ## Command aliases
  Cmmd_Alias CMDS = /sbin/service,/sbin/fdisk      // CMDS=just an name, anyname of command alias

  root ALL = (ALL)
  TESTER ALL = CMDS
  :wq

Now, switch to user and test the access.

======================================

visodo and add the following info on the file.
# visudo

Host_Alias     DBSERVERS = bardiya, nepal, udaya
User_Alias ADMINS = surya, jay, kamal
Cmnd_Alias ADMINCMDS = /usr/sbin/useradd, /usr/bin/passwd,/sbin/route
ADMINS DBSERVERS=ADMINCMDS

wq!

login as: surya
surya@192.168.10.32's password:
Last login: Fri Mar 15 00:13:01 2013 from 192.168.10.11
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel \r on an \m
If you mess with this system, you will be on big trouble.....

[surya@bardiya ~]$ sudo useradd pratic
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for surya:

[surya@bardiya ~]$ id pratic
uid=2021(pratic) gid=2021(pratic) groups=2021(pratic)

[surya@bardiya ~]$ sudo passwd pratic
Changing password for user pratic.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[surya@bardiya ~]$

No comments:

Post a Comment