Linuxing In London - 19/10/2016. session 1: root, su or sudo? ALINA ŚWIĘTOCHOWSKA PRINCIPAL TECHNOLOGIST UNIX/LINUX

Transcription

1 Linuxing In London - 19/10/2016 session 1: root, su or sudo? ALINA ŚWIĘTOCHOWSKA PRINCIPAL TECHNOLOGIST UNIX/LINUX

2 root, su or sudo? What is superuser? Using root and its password (or not) Using su (or not) Job role assignments with sudo

3 What is superuser? what it should not be

4 What is superuser? Definition Limitations Risks

5 Superuser definition Superuser is an account with numeric UID of 0 Nearly all Linux administration must be done as root This user (user id 0) has unrestricted access to the system Shell assignment in the /etc/passwd file might restrict the power For network service processes, use privileged system accounts Associated with specific administrative functions Use them, where relevant

6 Login as root DON T. NEVER. EVER. Exceptions: You inherited a system without an account with elevated privileges You have a third party (or in-house written) application that expects to see a string root to validate authorisation Fix your exception: Add appropriate account Sort the application - upgrade / replace / file a bug Then: REMOVE root s PASSWORD user system

7 Why should we avoid root? Hackers love it Every UNIX/Linux has root; only password to be cracked No auditing Too many people end up having the password: who removed that file? No file locking at the standard OS level Whose modification prevail? $ sudo useradd -o -u 0 backdoor notice, this is also a superuser!

8 Working with su (or not)...

9 Working with su Using the su command Configuration and logging PROs and CONs

10 su configuration and logging The set user (su) command switches to another user The effective user and group id changed; a new shell for the new user started Configuration: /etc/default/su - startup directives for su (not used in RHEL 7) /etc/login.defs /etc/pam.d/su /etc/pam.d/su-l - global login definitions for shadow programs - configuration (rules) file used by PAM - as above, but used if su was invoked with -l option Log file - wherever authpriv is configured $ grep -r authpriv /etc/rsyslog* RHEL 7 - /var/log/secure Ubuntu 16 - /var/log/auth.log

11 PROs and CONs of su PROs Well established and known Every UNIX and linux has it Simple to use CONs Requires password for root Limited logging and auditing Encourages prolonged session Too many individuals end up with root password

12 sudo switch user to do stuff

13 sudo What is it? Why? How it works? Simple configuration Making the best of aliases and environment Drawbacks and risks

14 What is it? The sudo tool is alternative to su (ish) Can define who can do what as which user on which host Several merits and advantages over su: Full logging in /var/log/messages for transaction audit Timestamp-based "tickets" limit sudo session to short period The configuration can be centralised across the network To see what you can do: $ sudo -l

15 How? To start a sudo session: $ sudo mount /mnt/disk1 Password: start sudo session provide password your own password allowed? consult /etc/sudoers YES NO start command log it start time ticket log it ticket valid for a few minutes

16 Take out insurance policy Initially, ensure access in case things don t go right first time! $ sudo passwd root $ su - root Save the templates # cp /etc/sudoers /etc/sudoers_orig # cp -R /etc/sudoers.d /etc/sudoers.d_orig Feels wrong? Looks wrong? It should!

17 Default configuration Have a peak at the configuration, before blowing it away root and the members of group wheel can run all commands, on all machines, with any identity

18 Simple configuration Uses Extended Backus-Naur Form (EBNF) notation What it all means: root All=(ALL) ALL %wheel All=(ALL) ALL /etc/sudoers who where (host) as whom ('runas') allowed commands Add the system owner to group wheel # usermod -G wheel qa wheel:x:10:root,qa /etc/group

19 'User' and 'runas' aliases User_Alias - a list of users, UIDs, system groups or netgroups User_Alias User_Alias User_Alias FULLTIMERS = bobm, petek, colinb ASSOCIATES = martinb, grahamb WEBMASTERS = sueb, mickw, elliet Runas_Alias - a list of users, UIDs, system groups or netgroups Runas_Alias Runas_Alias DB = ingres, mysql OP = %adm, admins

20 'Host' and 'Cmnd' aliases Host_Alias - a list of hosts, netgroups, IP addresses, networks Host_Alias Host_Alias WWW = booboo, rupert, teddy, care, sun* CDROM = /24, booboo, padders Cmnd_Alias - a list of allowed commands Cmnd_Alias SHUT = /usr/sbin/reboot, /usr/sbin/halt, \ /usr/sbin/systemctl reboot Cmnd_Alias DUMPS = /usr/bin/mt, /sbin/dump, /sbin/rdump, \ /sbin/restore

21 Putting it all together Rule 1: sudoers policy works on last match principle Typically, aliases are used for the purpose, for example: user FULLTIMERS ASSOCIATES grahamb WEBMASTERS %admins, %wheel bob mickw host = (run as user) command ALL = NOPASSWD: ALL ALL = (DB) ALL LOCAL = /sbin/service crond restart WWW = (www) ALL, (root) /usr/bin/su www ALL = ALL CDROM = (root) DUMPS ALL = (OP) SHUT, DUMPS

22 Options can be: booleans integers strings integers used as booleans insults passwd_tries=3 secure_path = /sbin:/usr/sbin timestamp_timeout=0 Options control overall behaviour of sudo operation, but can be applied to: users hosts runas commands >DB!/bin/systemctl!lecture setenv insults!lecture env_reset!lecture

23 Environment Plenty environmental definitions to explore man 5 sudoers always_set_home secure_path = /sbin:/bin:/usr/sbin:/usr/bin env_reset env_keep += "COLORFGBG COLORTERM" env_keep += "LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" env_keep += "LINES COLUMNS" env_keep += "LSCOLORS" env_keep += "SSH_AUTH_SOCK" env_keep += "TZ" env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" env_keep += "EDITOR VISUAL

24 Using builtins with sudo Beware : environment may be inherited, but never promoted [qa@ewok ~]$ ls /var/log/samba ls: cannot open directory /var/log/samba: Permission denied [qa@ewok ~]$ cd /var/log/samba -bash: cd: /var/log/samba: Permission denied [qa@ewok ~]$ sudo cd /var/log/samba [qa@ewok ~]$ sudo sh -c 'cd /var/log/samba; ls ' cores log log log.csukleapp55 log. log log log.ewok log log log log.nmbd log log log log.purism log log log log.smbd [...]

25 Logging with rsyslog Default log destination, wherever authpriv is set to go $ grep -r authpriv /etc/rsyslog* RHEL 7 - /var/log/secure Ubuntu 16 - /var/log/auth.log sudo uses local2 facility to submit messages to rsyslog local2.notice used for successful sudo activity local2.alert used for failed sudo activity local2.=notice local2.=alert /var/log/sudo_success /var/log/sudo_failure

26 Finally, hints and traps best kept secrets, perhaps

27 Using redirection/piping with sudo Same issue: who does what Redirection and piping are handled by your shell......not the sub-shell created for sudo ~]$ sudo blkid /dev/sda1: UUID="501e86ba-47d2-4b88-b158-dde e" TYPE="xfs" [...] /dev/sda6: UUID="f60ee74b a77-96ac-baefacc74380" TYPE="swap" /dev/sda7: UUID="afd88844-ca25-4e0f-89cc-3f097ec5327f" TYPE="xfs" /dev/sr0: LABEL="UDF Volume" TYPE="udf" ~]$ sudo blkid > /var/log/blkid -bash: /var/log/blkid: Permission denied ~]$ sudo sh -c blkid > /var/log/blkid

28 Fixing a broken sudoers file Error: $ sudo visudo sudo: >>> /etc/sudoers: syntax error near...<<< sudo: parse error in /etc/sudoers near line 120 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin Fix: part of polkit tools - policy kit, authorization framework for APIs [qa@ewok ~]$ pkexec vi /etc/sudoers == AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/bin/vi' as the super user Authenticating as: QA Student (qa) Password: ==== AUTHENTICATION COMPLETE ===

29 Escaping into shell Imagine the following assignment for user fred: fred $ sudo vi ~ ~ ~ ~ :!bash All = (ALL) /usr/bin/vi Do not assign programs which have a so-called escape into shell ability! Avoid command exclusions - can always find a hole E.G:!/usr/bin/vi - exclusion may not stop access to other similar programs...

30 Time ticket To control grace time between password authentication: [...] timestamp_timeout=0 0 means password required with every sudo command Avoid NOPASSWD in user/group assignments freddie ALL=NOPASSWD: ALL