Sudo: Switch User Do. Administrative Privileges Delegation Campus-Booster ID : **XXXXX. Copyright SUPINFO. All rights reserved

Transcription

1 Sudo: Switch User Do Administrative Privileges Delegation Campus-Booster ID : **XXXXX Copyright SUPINFO. All rights reserved

2 Sudo: Switch User Do Your trainer Presenter s Name Title: **Enter title or job role. Accomplishments: **What makes the presenter qualified to present this course. Education: **List degrees if important. Publications: **Writings by the presenter on the subject of the course or presentation. Contact: **Campus-Booster ID: presenter@supinfo.com

3 Sudo: Switch User Do Course objectives By completing this course, you will: n Delegate privileges. Allow users to execute commands as root or another user. n Restricted delegation. Delegate only a command subset. n Password/Passwordless privilege granting. Control whether or not users will be prompted.

4 Sudo: Switch User Do Course topics Course s plan: n Unix privileges. Concept and limitations. n Using sudo. How to delegate privileges n Editing files as root: sudoedit. Wildcards and pitfalls.

5 Sudo: Switch User Do Unix privileges Concept and limitations

6 Unix privileges King and peasants Unix systems lacks granularity. n All or nothing model n Root user n Administrator n superuser n All-powerful n Regular user n (Very) limited n Helpless outside ~ n Rely on root

7 Unix privileges Peasants and Gentlefolks Power Users? n Service administrators n Need a subset of root privileges n Using su n Start/Stop daemon n Edit config files n Different physical users: Not a good idea. n Need to give root password away

8 Unix privileges Peasants and Gentlefolks Restricted su: sudo n Delegate only what s needed n Specific commands n Specific users n On specific hosts n Can log (almost) everything n Prompts for the sudoer password n Using sudo as a su is pointless

9 Unix privileges Stop-and-think Do you have any questions?

10 Unix privileges Stop-and-think Unix system have a privileged user group named Power Users. True False

11 Unix privileges Stop-and-think Unix system have a privileged user group named Power Users. True False

12 Sudo: Switch User Do Using sudo Delegating privileges

13 Using sudo Configuration Who s allowed to do what (and where). n Sudo config file n /etc/sudoers n Sensitive n Only writable as root n Never edit it directly n Use visudo n Checks syntax before overwriting n Uses $EDITOR

14 Using sudo Config file structure n Gobal format: login/group host = (can sudo as user) command(s) n Sarah can change the date: sarah ALL = (ALL) /bin/date n Bill can reboot without a password bill ALL = (ALL) NOPASSWD:/sbin/reboot n Members of the webadm group can control the service %webadmin ALL = (ALL) /etc/init.d/apache2 n Wheel members can execute all commands but su %wheel ALL = (ALL) ALL,!/bin/su

15 Using sudo Aliases Factoring elements. n Create lists of n Users, groups n Hosts, networks, n Binaries n Keywords: n User_Alias n Runas_Alias n Host_Alias n Cmnd_Alias

16 Using sudo Aliases Configuration Example: Cmnd_Alias BACKUPS = /usr/bin/tar, /usr/bin/rsync, \ /usr/bin/dump User_Alias BOPS = john, bill, sarah, %wheel BOPS ALL = (ALL) NOPASSWD: BACKUPS

17 Using sudo Sudo invocation Using sudo ~]$ sudo [options] command Options Definitions -i -u user -l Interactive session: Open a shell as the selected identity. Run the command as user. List available (delegated) actions for the currently logged user.

18 Using sudo Stop-and-think Do you have any questions?

19 Using sudo Stop-and-think Sudo options: Match options and their definition. -u -i -l List av. actions Select user Open a shell

20 Using sudo Stop-and-think Sudo options: Match options and their definition. -u -i -l List av. actions Select user Open a shell

21 Sudo: Switch User Do Editing files as root: sudoedit Wildcard and pitfalls

22 Editing files as root: sudoedit Sudoedit Why not using $EDITOR? n Security n Spawn shell from editor n $EDITOR is a shell n n Sudoedit n Copy the file as root n Run $EDITOR as yourself n Overwrite original as root

23 Editing files as root: sudoedit Wildcards and Pitfalls n What do you think about this? %webadmins ALL = (ALL) NOPASSWD: sudoedit /etc/httpd/*

24 Editing files as root: sudoedit Wildcards and Pitfalls n Now consider this: [user@linux ~]$ sudoedit /etc/httpd/../shadow n Wildcards are potentially dangerous n Use with caution n Consider using ACL s to delegate rights over these files

25 Editing files as root: sudoedit Stop-and-think Do you have any questions?

26 Editing files as root: sudoedit Stop-and-think To allow users to edit a config file set, you will: Use sudoedit and a wildcard Use sudoedit, one command per file Use ACL s

27 Editing files as root: sudoedit Stop-and-think To allow users to edit a config file set, you will: Use sudoedit and a wildcard Use sudoedit, one command per file Use ACL s

28 Sudo: Switch User Do Course summary Sudoedit Unix privileges Wildcards Privileges delegation Using Aliases

29 Sudo: Switch User Do For more If you want to go into these subjects more deeply, Publications Courses Linux Technologies: Edge Computing Linux system administration Web sites Conferences FOSDEM RMLL Solutions Linux

30 Congratulations You have successfully completed the SUPINFO course module n 07 Sudo: Switch User Do

31 Sudo: Switch User Do The end n Delegate only required privileges n Use sudo rather than sharing a single root account