Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to use sudo for weighting in Linux

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use sudo for empowerment in Linux, which is very detailed and has certain reference value. Friends who are interested must finish reading it!

Learn how to give trusted users access to managed network functions and specific services while protecting root passwords.

I recently wrote a short Bash program to copy MP3 files from the USB disk of one network host to another network host. The copied files are stored in a specific directory on the server of a volunteer organization, where they can be downloaded and played.

My program also does other things, such as renaming files before copying them in order to automatically sort by date on the web page. After verifying that the copy is complete, all files on the USB disk are also deleted. There are other options for this Mini Program, such as-h showing help,-t entering test mode, and so on.

My program needs to be run in root to work. However, very few people in the organization were interested in managing audio and computer systems, which forced me to find those half-fooled people and train them to log in to the computers for transmission and run this Mini Program.

It's not that I can't run the program myself, but I'm not always there because I'm out and sick and so on. Even if I am present, as a "lazy system administrator", I hope others can do things for me. So I wrote some scripts to automate these tasks and specify someone to run them through sudo. Many Linux commands require the user to run as root. Sudo can protect the system from accidental damage caused by temporary confusion and intentional damage by malicious users.

Use sudo whenever possible

Sudo is a convenient tool that allows me, an administrator with root privileges, to assign all or part of administrative tasks to other users without having to tell them the root password, thus ensuring high security for the host.

Suppose that I give the ordinary user ruser access to my Bash program myprog, and some of the functions of this program require root permission. Then the user can log in as ruser and run myprog with the following command.

Sudo myprog

The sudo program checks the / etc/sudoers file and confirms that ruser is licensed to run myprog. If granted, sudo requires the user to enter his or her password-- not the root password. After ruser enters his password, the program runs. In addition, sudo records myprog the date and time the program was run, the complete command, and who is running it. This data is recorded in / var/log/security.

I find it helpful to record every command executed with sudo during the training. I can see who carried out which orders and whether they lost correctly.

I delegated permissions to myself and another person to run that program; however, sudo can do more. It allows system administrators to delegate managed network functions or specific services to a trusted person or group of people. This allows you to protect the security of your root password while also giving you those functions.

Configure the sudoers file

As a system administrator, I use the / etc/sudoers file to set that certain users or groups of users can access a command, or a set of commands, or all commands. This flexibility is the key to striking a balance between functionality and simplicity when using sudo for delegation.

I was confused about the sudoers file at first, so I will copy and decompose the complete sudoers file on the host I am using below. I hope it won't confuse you in the process of analysis. I was surprised to find that the default configuration files in Red Hat-based distributions have a lot of comments and examples to guide you on how to make changes, which makes it much easier to modify configuration files and eliminates the need to search the Internet for so many things.

Instead of modifying the sudoers file directly with the editor, use the visudo command, which takes effect as soon as you save and exit the editor. Visudo can also use editors other than Vi.

Let's first analyze the various aliases in the file.

Host alias

The section on host aliases is used to create host groups that grant the group of hosts which commands or command aliases they can access. The basic idea is that the file is maintained jointly by all hosts in the organization and then copied to / etc on each host. Some of these hosts, such as various servers, can be configured into a group to give users access to specific commands, such as enabling and stopping HTTPD, DNS, and network services, mounting file systems, and so on.

The IP address can also be used instead of the host name when setting the host alias.

# # Host Aliases## Groups of machines. You may prefer to use hostnames (perhaps using # # wildcards for entire domains) or IP addresses instead.# Host_Alias FILESERVERS = fs1, fs2# Host_Alias MAILSERVERS = smtp, smtp2

User alias

User aliases allow root to organize users into alias groups and assign specific root permissions by group. In this section, I added the line User_Alias AUDIO = dboth, ruser, and defined an alias AUDIO to refer to two users.

As explained in the sudoers file, you can also use the groups defined in / etc/groups directly without setting your own aliases. If your defined group (assuming the group name is audio) already meets the requirements, then you only need to add a% sign to the group name when assigning commands later, like this:% audio.

# # User Aliases## These aren't often necessary, as you can use regular groups## (ie, from files, LDAP, NIS, etc) in this file-just use% groupname # # rather than USERALIAS# User_Alias ADMINS = jsmith, mikemUser_Alias AUDIO = dboth, ruser

Command alias

Then there is the part of the command alias. These aliases represent a series of related commands, such as network-related commands, or RPM package management commands. These aliases allow system administrators to easily assign permissions to a set of commands.

This section has been set up with many aliases, which makes it much easier to assign permissions to certain types of commands.

# # Command Aliases## These are groups of related commands...## Networking# Cmnd_Alias NETWORKING = / sbin/route, / sbin/ifconfig, / bin/ping, / sbin/dhclient, / usr/bin/net, / sbin/iptables, / usr/bin/rfcomm, / usr/bin/wvdial, / sbin/iwconfig, / sbin/mii-tool## Installation and management of software# Cmnd_Alias SOFTWARE = / bin/rpm, / usr/bin/up2date / usr/bin/yum## Services# Cmnd_Alias SERVICES = / sbin/service, / sbin/chkconfig## Updating the locate database# Cmnd_Alias LOCATE = / usr/bin/updatedb## Storage# Cmnd_Alias STORAGE = / sbin/fdisk, / sbin/sfdisk, / sbin/parted, / sbin/partprobe, / bin/mount, / bin/umount## Delegating permissions# Cmnd_Alias DELEGATING = / usr/sbin/visudo, / bin/chown, / bin/chmod / bin/chgrp # # Processes# Cmnd_Alias PROCESSES = / bin/nice, / bin/kill, / usr/bin/kill, / usr/bin/killall## Drivers# Cmnd_Alias DRIVERS = / sbin/modprobe

Environment default

The following section sets the default environment variable. The most interesting thing about this section is the line! visiblepw, which indicates that sudo is disabled when the user environment is set to display passwords. This security measure should not be modified.

# Defaults specification## Refuse to run if unable to disable echo on the tty.#Defaults! visiblepwDefaults env_resetDefaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep + = "LC_TIME LC_ALL LANGUAGE LINGUAS _ XKB_CHARSET XAUTHORITY" Defaults secure _ path = / sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

Command section

The command section is the body of the sudoers file. Not using aliases will not affect the effect you want to achieve, aliases just make the whole configuration work much easier.

This section uses the aliases defined earlier to tell sudo who can perform which operations on which machines. Once you understand the syntax of this part, you will find that these examples are very intuitive. Let's take a look at its grammar.

Ruser ALL= (ALL) ALL

This means that ruser can run arbitrary commands as any user on any host

This is a configuration for the user ruser. The first ALL in the line indicates that the rule is in effect on all hosts. The second ALL allows ruser to run commands as any other user. By default, the command runs as the root user, but ruser can specify that the program runs as another user at the sudo command line. The last ALL indicates that ruser can run all commands without restrictions. This makes ruser actually root.

Notice that there is another configuration for root below. This allows root to run any command on any host through sudo.

Root ALL= (ALL) ALL

This means that root can run arbitrary commands as any user on any host

To experiment with the effect, I commented out this line and tried to run chown directly as root. Unexpectedly, it can be successful. Then I tried sudo chown and failed with the message "Root is not in the sudoers file. This incident will be reported". In other words, root can run any command directly, but not when adding sudo. This prevents root from using the sudo command to run other commands like other users, but root has too many ways to bypass this constraint.

The following line is something I added to control access to myprog. It specifies that only users in the AUDIO group defined above can use the myprog command on the host guest1.

AUDIO guest1=/usr/local/bin/myprog

Allow members of the AUDIO group to access myprog on guest1 hosts

Note that the above line only specifies the hostname and program that are allowed to access, and does not say that the user can run the program as another user.

Omit password

You can also use NOPASSWORD to allow users in the AUDIO group to run myprog without a password. Like this:

AUDIO guest1=NOPASSWORD: / usr/local/bin/myprog

Allow members of the AUDIO group to access the myprog without entering a password on the guest1 host

I didn't do that because I think it's good for users of sudo to stop and think about what they're doing. I'm just here to give an example.

Wheel

The wheel description in the commands section of the sudoers file (shown below) allows all users in the wheel group to run any command on any machine. The wheel group is defined in the / etc/group file, and the user must join the group to work. The% symbol before the group name indicates that sudo should look for the group in the / etc/group file.

% wheel ALL = (ALL) ALL

Run all members of the "wheel" group defined in the / etc/group file to run all commands on any host

This method is a good way to give multiple users full root permissions without providing a root password. You only need to add the user to the wheel group to provide them with full root capabilities. It also provides a way to monitor their behavior through logs created by sudo. Some Linux distributions, such as Ubuntu, automatically add users'ID to the wheel group in / etc/group, which allows them to run all privileged commands with the sudo command.

Conclusion

I'm just trying sudo here-I'm just giving one or two users permission to run a single command with root privileges. Doing this adds only two lines of configuration (regardless of comments). Delegating permissions for a task to other non-root users is simple and can save you a lot of time. At the same time, it will also generate logs to help you find problems.

Sudoers files have many other configurations and capabilities. Check out the man manuals of sudo and sudoers for more information.

These are all the contents of this article entitled "how to use sudo to empower in Linux". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report