SUDO Configuration with case study...!!!
What is SUDO?
Substitute User Do – a normal user is granted a privilege
to execute root owned chosen commands (based on the user’s day today role)
reside under /usr/sbin directory.
Why SUDO?
- Delegating the chosen root owned commands to a privilege user, reduce the root’s load adding the security feature. The privilege user can execute only the commands granted.
- If a virus, worm or malicious script tries to run on a UNIX system it cannot gain necessary privileges without the user typing SUDO. This prevents a lot of malware from running without notifying the user.
- Another nice thing about SUDO is that I type in MY Password, not root’s, to gain the root privileges. So if my account gets compromised, we still have not compromised the root account.
- Logs both the successful and failure execution of commands leaving a track for event record.
As ROOT:
[root@localhost
etc]# useradd TestUser1
[root@localhost
etc]# passwd TestUser1
Changing
password for user TestUser1.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
As standard user - TestUser1:
login as:
TestUser1
TestUser1@192.168.110.128's
password:
This is a Linux production box. Kindly handle
it carefully.
Only
authenticated persons are permitted to login to the system, violating the same
will be legally penalized.
[TestUser1@localhost
~]$ whoami
TestUser1
[TestUser1@localhost
~]$ init 0
init: Need to
be root
[TestUser1@localhost
~]$ useradd TestUser2
-bash:
/usr/sbin/useradd: Permission denied
Case -1:
1. Creating a new User_Alias with the
name as – L1ADMINS.
2. Adding the user “TestUser1” to the
User_Alias.
3. Creating a new command alias
Cmnd_Alias with the name as – L1CMNDS. This command alias includes the commands
- /usr/sbin/useradd, /user/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/sbin/reboot, /usr/bin/passwd
4. Mapping the User_Alias L1ADMINS with
the command alias L1CMDS.
This will grant the user “TestUser1” to execute the commands mapped against the L1CMDS alias.
As ROOT:
[root@localhost
~]# cd /etc
[root@localhost
etc]# cp sudoers sudoers.orig_bkp
[root@localhost
~]# vi /etc/sudoers
## User
Aliases
## These
aren't often necessary, as you can use regular groups
## (ie, from
files, LDAP, NIS, etc) in this file - just use %groupname
## rather than
USERALIAS
# User_Alias
ADMINS = jsmith, mikem
User_Alias
L1ADMINS = TestUser1
## Command
Aliases
## These are
groups of related commands...
Cmnd_Alias
L1CMNDS = /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/sbin/reboot, /usr/bin/passwd
## Next comes
the main part: which users can run what software on
## which
machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user
MACHINE=COMMANDS
##
## The
COMMANDS section may have other options added to it.
##
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser1 -l
Matching
Defaults entries for TestUser1 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser1
may run the following commands on this host:
(ALL) /usr/sbin/useradd, /usr/sbin/usermod,
/usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
As SUDO User:
[TestUser1@localhost
~]$ id
uid=505(TestUser1)
gid=506(TestUser1) groups=506(TestUser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser1@localhost
~]$ whoami
TestUser1
[TestUser1@localhost
~]$ sudo -l
We trust you
have received the usual lecture from the local System
Administrator.
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great
responsibility.
[sudo]
password for TestUser1:
Matching
Defaults entries for TestUser1 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser1
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot,
/usr/bin/passwd
[TestUser1@localhost
~]$ useradd TestUser2
-bash:
/usr/sbin/useradd: Permission denied
[TestUser1@localhost
~]$ sudo useradd TestUser2
[TestUser1@localhost
~]$ sudo passwd TestUser2
Changing
password for user TestUser2.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
[TestUser1@localhost
~]$ id TestUser2
uid=506(TestUser2)
gid=507(TestUser2) groups=507(TestUser2)
Case -2:
As ROOT:
1. Granting the user “TestUser2” to execute the commands
- /usr/sbin/useradd, /user/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/sbin/reboot, /usr/bin/passwd
directly.
2. NOPASSWD: will not prompt the user for the
password whilst executing the commands using SUDO.
[root@localhost ~]# vi /etc/sudoers
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
TestUser2
ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/usr/bin/passwd
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser2 -l
Matching
Defaults entries for TestUser2 on this host:
requiretty, !visiblepw, always_set_home, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser2
may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/useradd, (ALL)
/usr/sbin/usermod, (ALL) /usr/sbin/userdel, (ALL) /sbin/shutdown, (ALL)
/usr/bin/passwd
As SUDO User:
[TestUser2@localhost
~]$ id
uid=506(TestUser2)
gid=507(TestUser2) groups=507(TestUser2)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser2@localhost
~]$ whoami
TestUser2
[TestUser2@localhost
~]$ sudo -l
Matching
Defaults entries for TestUser2 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser2
may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/useradd,
(ALL) /usr/sbin/usermod, (ALL) /usr/sbin/userdel, (ALL) /sbin/shutdown, (ALL)
/usr/bin/passwd
Case -3:
As ROOT:
1. Granting the user “TestUser3” to
execute all the commands listed under the command alias L1CMDS.
[root@localhost
~]# vi /etc/sudoers
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
TestUser2
ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/usr/bin/passwd
TestUser3
ALL=(ALL) L1CMNDS
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser3 -l
Matching Defaults
entries for TestUser3 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser3
may run the following commands on this host:
(ALL) /usr/sbin/useradd, /usr/sbin/usermod,
/usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
As SUDO User:
[TestUser3@localhost
~]$ id
uid=507(TestUser3)
gid=508(TestUser3) groups=508(TestUser3)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser3@localhost
~]$ whoami
TestUser3
[TestUser3@localhost
~]$ sudo -l
Matching
Defaults entries for TestUser3 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser3
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot,
/usr/bin/passwd
[TestUser3@localhost
~]$ sudo useradd TestUser4
[TestUser3@localhost
~]$ sudo passwd TestUser4
Changing
password for user TestUser4.
New password:
Retype new
password:
passwd: all authentication
tokens updated successfully.
Case -4:
1. Mapping the users – “TestUser5,
TestUser6, TestUser7, TestUser8, TestUser9” to the existing User_Alias
L1ADMINS. So going forward, it’s not necessary to specify each user name to
grant access; instead User_Alias name L1ADMIN can be used.
2. Mapping the listed users under
User_Alias L1ADMIN to the command alias L1CMNDS.
This will ensure that, all the listed users under the User_Alias
L1ADMINS are granted access to execute all the commands listed under the command
alias L1CMNDS.
As ROOT:
[root@localhost
etc]# vi /etc/sudoers
## User
Aliases
## These
aren't often necessary, as you can use regular groups
## (ie, from
files, LDAP, NIS, etc) in this file - just use %groupname
## rather than
USERALIAS
# User_Alias
ADMINS = jsmith, mikem
User_Alias
L1ADMINS = TestUser1, TestUser5, TestUser6, TestUser7, TestUser8, TestUser9
Cmnd_Alias
L1CMNDS = /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/sbin/reboot, /usr/bin/passwd
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
TestUser2
ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/usr/bin/passwd
TestUser3
ALL=(ALL) L1CMNDS
L1ADMINS
ALL=(ALL) L1CMNDS
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser5 -l
Matching
Defaults entries for TestUser5 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser5
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot,
/usr/bin/passwd
As SUDO User:
[TestUser5@localhost
~]$ id
uid=509(TestUser5)
gid=510(TestUser5) groups=510(TestUser5)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser5@localhost
~]$ whoami
TestUser5
[TestUser5@localhost
~]$ sudo -l
We trust you
have received the usual lecture from the local System
Administrator.
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great
responsibility.
[sudo]
password for TestUser5:
Matching
Defaults entries for TestUser5 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser5
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot,
/usr/bin/passwd
Case -5:
1. Granting the user “TestUser0”
complete root access. This user can execute any commands that are executed by
the super user ‘root’.
As ROOT:
[root@localhost
etc]# vi /etc/sudoers
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser0
ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
TestUser2
ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/usr/bin/passwd
TestUser3
ALL=(ALL) L1CMNDS
L1ADMINS
ALL=(ALL) L1CMNDS
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser0 -l
Matching Defaults
entries for TestUser0 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser0
may run the following commands on this host:
(ALL) ALL
As SUDO User:
[TestUser0@localhost
~]$ id
uid=514(TestUser0)
gid=515(TestUser0) groups=515(TestUser0)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser0@localhost
~]$ whoami
TestUser0
[TestUser0@localhost
~]$ sudo -l
We trust you
have received the usual lecture from the local System
Administrator.
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great
responsibility.
[sudo]
password for TestUser0:
Matching
Defaults entries for TestUser0 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User TestUser0
may run the following commands on this host:
(ALL) ALL
[TestUser0@localhost
~]$ sudo useradd -c "R&D Users" NewUser1
[TestUser0@localhost
~]$ sudo passwd NewUser1
Changing
password for user NewUser1.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
Case -6:
1. Granting the user “TestUser10” to
execute all the commands similar to root, but, restricting the user “TestUser10”
to use the commands - /usr/bin/useradd, /usr/sbin/usermod, /usr/sbin/userdel.
As ROOT:
[root@localhost
etc]# vi /etc/sudoers
## Allow root
to run any commands anywhere
root ALL=(ALL) ALL
TestUser0
ALL=(ALL) ALL
TestUser1
ALL=(ALL) L1CMNDS
TestUser2
ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown,
/usr/bin/passwd
TestUser3
ALL=(ALL) L1CMNDS
L1ADMINS
ALL=(ALL) L1CMNDS
TestUser10
ALL=(ALL) ALL, !/usr/sbin/useradd, !/usr/sbin/usermod, !/usr/sbin/userdel
(Output Truncated…)
[root@localhost
etc]# sudo -U TestUser10 -l
Matching
Defaults entries for TestUser10 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User
TestUser10 may run the following commands on this host:
(ALL) ALL, (ALL) !/usr/sbin/useradd, (ALL)
!/usr/sbin/usermod, (ALL) !/usr/sbin/userdel
As SUDO User:
[TestUser10@localhost
~]$ id
uid=517(TestUser10)
gid=518(TestUser10) groups=518(TestUser10)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser10@localhost
~]$ whoami
TestUser10
[TestUser10@localhost
~]$ sudo -l
We trust you
have received the usual lecture from the local System
Administrator.
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great
responsibility.
[sudo]
password for TestUser10:
Matching
Defaults entries for TestUser10 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User
TestUser10 may run the following commands on this host:
(ALL) ALL, (ALL) !/usr/sbin/useradd,
(ALL) !/usr/sbin/usermod, (ALL) !/usr/sbin/userdel
[TestUser10@localhost
~]$ sudo useradd -c "R&D Users" NewUser3
Sorry, user
TestUser10 is not allowed to execute '/usr/sbin/useradd -c R&D Users
NewUser3' as root on localhost.localdomain.
Case -7:
1. Granting the group named “admin” to
execute all the commands listed under the command alias L1CMNDS.
2. Users belong the group “admin” are permitted
to execute all the commands under the command alias L1CMNDS.
As ROOT:
[root@localhost
etc]# vi /etc/sudoers
## Allows
people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%admin
ALL=(ALL) L1CMNDS
(Output Truncated…)
[root@localhost
etc]# sudo -U NewUser0 -l
Matching
Defaults entries for NewUser0 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User NewUser0
may run the following commands on this host:
(ALL) /usr/sbin/useradd, /usr/sbin/usermod,
/usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
As SUDO User:
[NewUser0@localhost
~]$ id
uid=515(NewUser0)
gid=521(admin) groups=521(admin)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost
~]$ whoami
NewUser0
[NewUser0@localhost
~]$ sudo -l
[sudo]
password for NewUser0:
Matching
Defaults entries for NewUser0 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User NewUser0
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot,
/usr/bin/passwd
[NewUser0@localhost
~]$ sudo useradd -c "R&D Users" NewUser6
[NewUser0@localhost
~]$ sudo passwd NewUser6
Changing
password for user NewUser6.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
[root@localhost
etc]# grep admin /etc/group
desktop_admin_r:x:499:
admin:x:521:
[root@localhost
etc]# id NewUser0
uid=515(NewUser0)
gid=521(admin) groups=521(admin)
[root@localhost
etc]# groupmod -n usradmin admin
[root@localhost
etc]# grep -i usradmin /etc/group
usradmin:x:521:
[root@localhost
etc]# id NewUser0
uid=515(NewUser0)
gid=521(usradmin) groups=521(usradmin)
[root@localhost
etc]# id NewUser1
uid=516(NewUser1)
gid=521(usradmin) groups=521(usradmin)
[root@localhost
etc]# id NewUser2
uid=518(NewUser2)
gid=521(usradmin) groups=521(usradmin)
Case -8:
1.
Changing
the group name from “admin” to “usradmin”.
This will replicate and ensure all the users belonged to group “admin”
is moved to the renamed group “usradmin”.
2. However, once the group name is
changed, the users under “usradmin” are NOT permitted to execute the commands
as earlier. This is because, the “admin”
group is updated on the /etc/sudoers configuration file.
3.
So,
the group name in the file /etc/sudoers has to be changed as – “usradmin”. Once
the changes are done, user belong to the group “usradmin” can execute all the
commands listed under the command alias L1CMNDS.
As SUDO User:
login as:
NewUser0
NewUser0@192.168.110.128's
password:
Last login:
Sat Jul 4 22:05:09 2015 from
192.168.110.1
This is a Linux production box. Kindly handle
it carefully.
Only
authenticated persons are permitted to login to the system, violating the same
will be legally penalized.
[NewUser0@localhost
~]$ id
uid=515(NewUser0)
gid=521(usradmin) groups=521(usradmin)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost
~]$ whoami
NewUser0
[NewUser0@localhost
~]$ sudo -l
[sudo]
password for NewUser0:
Sorry, user
NewUser0 may not run sudo on localhost.
As ROOT:
[root@localhost
etc]# vi /etc/sudoers
## Allows
people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%usradmin
ALL=(ALL) L1CMNDS
(Output Truncated…)
As SUDO User:
[NewUser0@localhost
~]$ id
uid=515(NewUser0)
gid=521(usradmin) groups=521(usradmin)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost
~]$ whoami
NewUser0
[NewUser0@localhost
~]$ sudo -l
[sudo]
password for NewUser0:
Matching
Defaults entries for NewUser0 on this host:
requiretty, !visiblepw, always_set_home,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User NewUser0
may run the following commands on this host:
(ALL) /usr/sbin/useradd,
/usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
[NewUser0@localhost
~]$ sudo useradd -c "R&D Users" NewUser7
[NewUser0@localhost
~]$ sudo passwd NewUser7
Changing
password for user NewUser7.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
[NewUser0@localhost
~]$ sudo useradd -c "R&D Users" NewUser8
[NewUser0@localhost
~]$ sudo passwd NewUser8
Changing
password for user NewUser8.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
[NewUser0@localhost
~]$ sudo useradd -c "R&D Users" NewUser9
[NewUser0@localhost
~]$ sudo passwd NewUser9
Changing
password for user NewUser9.
New password:
Retype new
password:
passwd: all
authentication tokens updated successfully.
Hope I had discussed most of the
possibility, case of have SUDO users, SUDO groups with different
combinations. Here I had tested on the Linux environment, firmly
believe that the same would work on Solaris environment too as the
concepts, syntax remains same.
No comments:
Post a Comment