2016年3月17日 星期四

Linux 6 sudoer make up

How To Edit the Sudoers File on Ubuntu and CentOS

Sep 17, 2013  Linux Basics UbuntuCentOS

Introduction

Privilege separation is one of the fundamental security paradigms implemented in Linux and Unix-like operating systems. Regular users operate with limited privileges in order to reduce the scope of their influence to their own environment, and not the wider operating system.
A special user, called root, has "super-user" privileges. This is an administrative account without the restrictions that are present on normal users. Users can execute commands with "super-user" or "root" privileges in a number of different ways.
In this article, we will discuss how to correctly and securely obtain root privileges, with a special focus on editing the /etc/sudoers file.
We will be completing these steps on an Ubuntu 12.04 VPS, but most modern Linux distributions should operate in a similar manner.
This guide assumes that you have already completed the initial server setup discussed here. Log into your VPS as regular, non-root user.

How To Obtain Root Privileges

There are three basic ways to obtain root privileges, which vary in their level of sophistication.

Log In As Root

The simplest and most straight forward method of obtaining root privileges is simply to log into your VPS as root from the onset.
If you are using the "Console Access" button from the droplets page, simply enter "root" as the username and enter the root password when prompted.
DigitalOcean Console Screen
If you are logging in through SSH, specify the root user prior to the IP address or host name in your connection parameters.
ssh root@your_IP_address_or_domain
Again, enter the root password when prompted.

Use "su" to Become Root

Logging in as root is usually not recommended, because it is easy to begin using the system for non-administrative tasks, which is dangerous.
The next way to gain super-user privileges allows you to become the root user at any time, as you need it.
We can do this by invoking the su command, which stands for "substitute user". To gain root privileges, simply type:
su
You will be prompted for the root user's password, after which, you will be dropped into a root shell session.
When you have finished the tasks which require root privileges, return to your normal shell by typing:
exit

Use "sudo" to Execute Commands as Root

The final, and most complex, way of obtaining root privileges that we will discuss is with the sudocommand.
The sudo command allows you to execute one-off commands with root privileges, without the need to spawn a new shell. It is executed like this:
sudo command_to_execute
Unlike su, sudo will request the password of the user calling the command, not the root password.
Because of its security implications, sudo does not work by default, and must be set up before it functions correctly. If you followed the initial server setup guide, you already completed a bare-bones configuration.
In the following section, we will discuss how to modify the configuration in greater detail.

What is Visudo?

The sudo command is configured through a file located at /etc/sudoers.
Note: Never edit this file with a normal text editor! Always use the visudo command instead!
Because improper syntax in the sudoers file can leave you with a system where it is impossible to obtain elevated privileges, it is important to use the visudo command to edit the file.
The visudo command opens a text editor like normal, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking "sudo" operations, which may be your only way of obtaining root privileges.
Traditionally, visudo opens the /etc/sudoers file with the "vi" text editor. Ubuntu, however, has configured visudo to use the "nano" text editor instead.
If you would like to change it back to "vi", issue the following command:
sudo update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode
Select the number that corresponds with the choice you would like to make.
On CentOS, you can change this value by adding the following line to your ~/.bashrc:
export EDITOR=/path/to/editor
Source the file to implement the changes:
. ~/.bashrc
After you have configured visudo, execute the command to access the /etc/sudoers file:
sudo visudo

How To Modify the Sudoers File

You will be presented with the sudoers file in your selected text editor.
I have copied and pasted the file from Ubuntu 12.04, with comments removed (but including the addition we made in our initial server set up). The CentOS sudoers file has many more lines, some of which we will not discuss in this guide.
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

root        ALL=(ALL:ALL) ALL
demo        ALL=(ALL:ALL) ALL

%admin      ALL=(ALL) ALL
%sudo       ALL=(ALL:ALL) ALL
Let's take a look at what these lines do.

Default Lines

The first line, "Defaults env_reset", resets the terminal environment to remove any user variables. This is a safety measure used to clear potentially harmful environmental variables from the sudo session.
The second line, which begins with "Defaults secure_path=...", specifies the PATH (the places in the filesystem the operating system will look for applications) that will be used for sudo operations. This prevents using user paths which may be harmful.

User Privilege Lines

The third and fourth lines, we are somewhat familiar with. The fourth line you added yourself, but you might not have investigated the details of what each portion was accomplishing.
  • demo  ALL=(ALL:ALL) ALL
    The first field indicates the username that the rule will apply to (demo).
  • demo     ALL=(ALL:ALL) ALL
    The first "ALL" indicates that this rule applies to all hosts.
  • demo     ALL=(ALL:ALL) ALL
    This "ALL" indicates that the demo user can run commands as all users.
  • demo     ALL=(ALL:ALL) ALL
    This "ALL" indicates that the demo user can run commands as all groups.
  • demo     ALL=(ALL:ALL) ALL
    The last "ALL" indicates these rules apply to all commands.
This means that our "root" and "demo" users can run any command using sudo, as long as they provide their password.

Group Privilege Lines

The last two lines are similar to the user privilege lines, but they specify sudo rules for groups.
Names beginning with a "%" indicate group names.
Here, we see the "admin" group can execute any command as any user on any host. Similarly, the "sudo" group can has the same privileges, but can execute as any group as well.

How To Set Up Custom Rules

Now that we have gotten familiar with the general syntax of the file, let's create some new rules.

How To Create Aliases

The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:
User_Alias      GROUPONE = abby, brent, carl
User_Alias      GROUPTWO = brent, doris, eric, 
User_Alias      GROUPTHREE = doris, felicia, grant
Group names must start with a capital letter. We can then allow members of GROUPTWO to update apt-get's database by creating a rule like this:
GROUPTWO    ALL = /usr/bin/apt-get update
If we do not specify a user/group to run as, as above, sudo defaults to the root user.
We can allow members of GROUPTHREE to shutdown and reboot the machine by creating a "command alias" and using that in a rule for GROUPTHREE:
Cmnd_Alias      POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE  ALL = POWER
We create a command alias called "POWER" that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create "Run as" aliases, which can replace the portion of the rule that specifies the user to execute the command as:
Runas_Alias     WEB = www-data, apache
GROUPONE    ALL = (WEB) ALL
This will allow anyone who is a member of GROUPONE to execute commands as the "www-data" user or the "apache" user.
Just keep in mind that later rules will override earlier rules when there is a conflict between the two.

How To Lock Down Rules

There are a number of ways that you can achieve more control over how sudo reacts to a call.
The updatedb command associated with the "mlocate" package is relatively harmless. If we want to allow users to execute it with root privileges without having to type a password, we can make a rule like this:
GROUPONE    ALL = NOPASSWD: /usr/bin/updatedb
NOPASSWD is a "tag" that means no password will be requested. It has a companion command called PASSWD, which is the default behavior. A tag is relevant for the rest of the rule unless overruled by its "twin" tag later down the line.
For instance, we can have a line like this:
GROUPTWO    ALL = NOPASSWD: /usr/bin/updatedb, PASSWD: /bin/kill
Another helpful tag is "NOEXEC", which can be used to prevent some dangerous behavior in certain programs.
For example, some programs, like "less", can spawn other commands by typing this from within their interface:
!command_to_run
This basically executes any command the user gives it with the same permissions that "less" is running under, which can be quite dangerous.
To restrict this, we could use a line like this:
username    ALL = NOEXEC: /usr/bin/less

Miscellaneous Information

There are a few more pieces of information that may be useful when dealing with sudo.
If you specified a user or group to "run as" in the configuration file, you can execute commands as those users by using the "-u" and "-g" flags, respectively:
sudo -u run_as_user command
sudo -g run_as_group command
For convenience, by default, sudo will save your authentication details for a certain amount of time in one terminal. This means you won't have to type your password in again until that timer runs out.
For security purposes, if you wish to clear this timer when you are done running administrative commands, you can run:
sudo -k
If you are simply wondering what kind of privileges are defined for your username, you can type:
sudo -l
This will list all of the rules in the /etc/sudoers file that apply to your user. This gives you a good idea of what you will or will not be allowed to do with sudo as any user.
There are many times when you will execute a command and it will fail because you forgot to precede it with "sudo". To avoid having to re-type the command, you can take advantage of a bash functionality that means "repeat last command":
sudo !!
The double exclamation point will repeat the last command. We preceded it with sudo to quickly change the unprivileged command to a privileged command.
For some fun, you can add the following line to your sudoers file with visudo:
sudo visudo
Defaults    insults
This will cause sudo to return a silly insult when a user types in an incorrect password for sudo. We'll usesudo -k to clear the previous sudo cached password to try it out:
sudo -k
sudo ls
[sudo] password for demo:    # enter an incorrect password here to see the results
Your mind just hasn't been the same since the electro-shock, has it?
[sudo] password for demo: 
My mind is going. I can feel it.

Conclusion

You should now have a basic understanding of how to read and modify the sudoers file, and a grasp on the various methods that you can use to obtain root privileges.
Remember, super-user privileges are not given to regular users for a reason. It is essential that you understand what each command does that you execute with root privileges. Do not take the responsibility lightly. Learn the best way to use these tools for your use-case, and lock down any functionality that is not needed.
By Justin Ellingwood

17 Comments

  • B
  • I
  • UL
  • OL
  • Code
  • Highlight
  • Table
 
Logged in as:
  • sergeif
    Awesome wrote up Justin! Very handy. Thank you!
     
      • ahmed1490
        bookmarking for ever.. Absolute beginner and found it awesome..
         
          • castleless
            absolute not useful! a lot of divagations, but again telling what do do instead HOW to do. beginners need to find HOW the fuck to do it!
             
              • @castleless: Sorry you feel that way! This article is trying to provide background material to help people understand the commands. Maybe something like the initial server setup guide is more your speed: https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-14-04 If you want to add sudo privileges for a user named "myuser", run the command:
                visudo
                
                Then add the following line to the file:
                myuser     ALL=(ALL:ALL) ALL
                
                Done!
                2
                 
                  • jrussell_88
                    Never mind how to do it differently; how to do it the original way before you change it would be more helpful.
                     
                      • rshpeley
                        So to recap... add
                        ``` myuser ALL=(ALL:ALL) ALL
                        
                        Then on nano as visudo,
                        ```   ^0, ^X
                        ``` to writeout and save the file /etc/sudoers.tmp
                        
                        And it's this sudoers.tmp file which is read by sudo as the config file?
                        
                        Using a tmp file as a config file is a bit counter-intuitive. Does visudo rename it when it's saved?
                        
                        Answering my own question, that does seem to be the case. So never mind the name of the file, just do it...  :/
                        
                         
                          • @rshpeleyvisudo ensures that you don't leave /etc/sudoers in a broken state. It's saved to the temp file, checked for errors, then renamed.
                             
                              • aled.skyrail
                                I found this really helpful actually. Thanks Justin, much appreciated!
                                 
                                  • teeks
                                    Maybe I'm on a later version of Ubuntu since this was written, but it looks like the current config advises using an extra file to add user settings to sudoers.
                                    Is it now correct to uncomment the last line of sudoers #includedir /etc/sudoers.d then add a file in the etc/sudeors.d/ containing your additions?
                                    Also, do I need to restart anything for the changes to take affect?
                                     
                                      • skirankumaar
                                        Hi,
                                        Very helpful article. By the way, how can we add an ldap user (normal user) to the sudoer's file?
                                         
                                          • farinspace
                                            Non-interactive solution for setting vim as default editor
                                            sudo update-alternatives --set editor /usr/bin/vim.basic
                                             
                                              • maxsaka
                                                Super helpful
                                                 
                                                  • studentafrica
                                                    SSH access has been disabled for root. I added user to wheel group and now I cannot grant root privilege to user. I followed https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7.
                                                    I need help because I use SSH via Putty
                                                    when I use sudo i get user is not in the sudoers file. this incident will be reported
                                                    I need help on what to do as visudo does not work from user account as it gives Permission denied error.
                                                     
                                                      • Niclas
                                                        Did you check that the sudo group exists? You can do this by typing:

                                                        cut -d: -f1 /etc/group

                                                        If not, you can create one with the groupadd command

                                                        After that, you need to add:
                                                        %sudo       ALL=(ALL:ALL) ALL
                                                        
                                                        when you do visudo.

                                                        Hope this helps!
                                                         
                                                        • whosjose
                                                          You can also do
                                                          adduser username
                                                          passwd username
                                                          gpasswd -a username wheel
                                                          A lot easier to remember.
                                                           
                                                            • HimanshuGaur
                                                              Hi
                                                              I`m not able to use Sudo Insults feature
                                                               
                                                                • happy218814
                                                                  Howto make things complex.
                                                                  I still dont know howto add a user to execute a command.
                                                                  Example?
                                                                  I found it, if you want to add a user to execute a command , do this:
                                                                  joe ALL=(ALL) NOPASSWD: /usr/bin/command
                                                                   

                                                                    沒有留言:

                                                                    張貼留言