Sudo: Switch User Do Administrative Privileges Delegation Campus-Booster ID : **XXXXX www.supinfo.com Copyright SUPINFO. All rights reserved
Sudo: Switch User Do Your trainer Presenter s Name Title: **Enter title or job role. Accomplishments: **What makes the presenter qualified to present this course. Education: **List degrees if important. Publications: **Writings by the presenter on the subject of the course or presentation. Contact: **Campus-Booster ID: presenter@supinfo.com
Sudo: Switch User Do Course objectives By completing this course, you will: n Delegate privileges. Allow users to execute commands as root or another user. n Restricted delegation. Delegate only a command subset. n Password/Passwordless privilege granting. Control whether or not users will be prompted.
Sudo: Switch User Do Course topics Course s plan: n Unix privileges. Concept and limitations. n Using sudo. How to delegate privileges n Editing files as root: sudoedit. Wildcards and pitfalls.
Sudo: Switch User Do Unix privileges Concept and limitations
Unix privileges King and peasants Unix systems lacks granularity. n All or nothing model n Root user n Administrator n superuser n All-powerful n Regular user n (Very) limited n Helpless outside ~ n Rely on root
Unix privileges Peasants and Gentlefolks Power Users? n Service administrators n Need a subset of root privileges n Using su n Start/Stop daemon n Edit config files n Different physical users: Not a good idea. n Need to give root password away
Unix privileges Peasants and Gentlefolks Restricted su: sudo n Delegate only what s needed n Specific commands n Specific users n On specific hosts n Can log (almost) everything n Prompts for the sudoer password n Using sudo as a su is pointless
Unix privileges Stop-and-think Do you have any questions?
Unix privileges Stop-and-think Unix system have a privileged user group named Power Users. True False
Unix privileges Stop-and-think Unix system have a privileged user group named Power Users. True False
Sudo: Switch User Do Using sudo Delegating privileges
Using sudo Configuration Who s allowed to do what (and where). n Sudo config file n /etc/sudoers n Sensitive n Only writable as root n Never edit it directly n Use visudo n Checks syntax before overwriting n Uses $EDITOR
Using sudo Config file structure n Gobal format: login/group host = (can sudo as user) command(s) n Sarah can change the date: sarah ALL = (ALL) /bin/date n Bill can reboot without a password bill ALL = (ALL) NOPASSWD:/sbin/reboot n Members of the webadm group can control the service %webadmin ALL = (ALL) /etc/init.d/apache2 n Wheel members can execute all commands but su %wheel ALL = (ALL) ALL,!/bin/su
Using sudo Aliases Factoring elements. n Create lists of n Users, groups n Hosts, networks, n Binaries n Keywords: n User_Alias n Runas_Alias n Host_Alias n Cmnd_Alias
Using sudo Aliases Configuration Example: Cmnd_Alias BACKUPS = /usr/bin/tar, /usr/bin/rsync, \ /usr/bin/dump User_Alias BOPS = john, bill, sarah, %wheel BOPS ALL = (ALL) NOPASSWD: BACKUPS
Using sudo Sudo invocation Using sudo [user@linux ~]$ sudo [options] command Options Definitions -i -u user -l Interactive session: Open a shell as the selected identity. Run the command as user. List available (delegated) actions for the currently logged user.
Using sudo Stop-and-think Do you have any questions?
Using sudo Stop-and-think Sudo options: Match options and their definition. -u -i -l List av. actions Select user Open a shell
Using sudo Stop-and-think Sudo options: Match options and their definition. -u -i -l List av. actions Select user Open a shell
Sudo: Switch User Do Editing files as root: sudoedit Wildcard and pitfalls
Editing files as root: sudoedit Sudoedit Why not using $EDITOR? n Security n Spawn shell from editor n $EDITOR is a shell n n Sudoedit n Copy the file as root n Run $EDITOR as yourself n Overwrite original as root
Editing files as root: sudoedit Wildcards and Pitfalls n What do you think about this? %webadmins ALL = (ALL) NOPASSWD: sudoedit /etc/httpd/*
Editing files as root: sudoedit Wildcards and Pitfalls n Now consider this: [user@linux ~]$ sudoedit /etc/httpd/../shadow n Wildcards are potentially dangerous n Use with caution n Consider using ACL s to delegate rights over these files
Editing files as root: sudoedit Stop-and-think Do you have any questions?
Editing files as root: sudoedit Stop-and-think To allow users to edit a config file set, you will: Use sudoedit and a wildcard Use sudoedit, one command per file Use ACL s
Editing files as root: sudoedit Stop-and-think To allow users to edit a config file set, you will: Use sudoedit and a wildcard Use sudoedit, one command per file Use ACL s
Sudo: Switch User Do Course summary Sudoedit Unix privileges Wildcards Privileges delegation Using Aliases
Sudo: Switch User Do For more If you want to go into these subjects more deeply, Publications Courses Linux Technologies: Edge Computing Linux system administration Web sites www.supinfo.com www.labo-linux.com www.blackbeltfactory.com Conferences FOSDEM RMLL Solutions Linux
Congratulations You have successfully completed the SUPINFO course module n 07 Sudo: Switch User Do
Sudo: Switch User Do The end n Delegate only required privileges n Use sudo rather than sharing a single root account