Shulou(Shulou.com)06/02 Report--

Sudo purpose:

Sudo is used to authorize ordinary users, in a word: which users are allowed to log in on which hosts and run which commands as which users. A right button similar to that in a Windows system runs as an administrator.

I. the difference between sudo and su

For example, a newcomer from the operation and maintenance department wants to assign him to complete some basic software deployment tasks, but he is worried that misoperation will be caused by his unfamiliarity with the system architecture environment. At this time, it may be very risky for him to use the su command to switch high-permission management accounts directly, while the flexible authorization of sudo can limit the permissions to a reasonable scope, thus reducing the risk.

1. Su actually logs in as the target user. When you execute the su command to switch users, you must know the password of the target user. Authorization is very inflexible, and it also brings the security risk of password disclosure. 2. Sudo clearly defines which commands to execute among the specified users based on the configuration file, and only temporarily switches the security context without the need for user login switching. When executing the sudo command, you only need to enter the user's own password, and you do not need to know the target user password for the security context switch. 3. Both su and sudo can perform user switching operations, but sudo must be clearly defined in the configuration file before account switching can be performed.

Su switching user

Su username: without complete switching, HOME will not become the HOME directory of the target user su-username: if you switch completely, HOME will become the HOME directory of the target user.

Sudo switch user sudo-I switch to root user sudo-u command followed by the target user name of the switch

Related documents of sudo

1. The sudo command comes from the sudo-1.8.25p1-4.el8.x86_64 software package. two。 Configuration files: stored in / etc/sudoers, but independent configuration modules that support modular configuration are stored in / etc/sudoers.d/ directory 3. Log file: the operation record of sudo is stored in the / var/log/secure file. 4. Time probe: sudo's token timeout mechanism is based on the timestamp of the time probe file, which is stored in the / run/sudo/ts/ directory.

Learning ideas:

Sudo provides a special configuration file editing tool visudo command with syntax detection function. Authorization syntax input and write format: user host= (root) command authorization syntax consists of four elements: which operation permissions are granted by the authorized user logging in to the host IP= (user identity after switching)

The four authorization elements can be explicit specific objects or aliases that organize a set of objects together.

Authorized user: the initiator of a process, but organizes a set of user names or group names in a collection. The name of the collection is the object alias login host: it can be a specific IP address, host name, or a collection of multiple IP addresses, host names, and network segments. User identity after switching: the end user of the process, if left empty, defaults to the root user, that is, the authorized user executes the Command defined later in any identity. Command: can be a collection of related commands, such as organizing network management commands together to define aliases.

The alias definitions of the above three elements have been clearly exemplified in the configuration file and can be referenced directly, and must be referenced using% if their members include user group names when defining user aliases.

Best practices:

The configuration file of sudo adopts a modular style and supports a separately defined modular configuration file in the includedir reference / etc/sudoers.d directory, so it is recommended that the configuration file be defined separately based on authorized users or functional operation sets according to production requirements, which will be clearer in authorization management. It is strongly recommended to use the visudo command when editing the configuration file, which directly edits the / etc/sudoers file without any option parameters, so use visudo-f followed by the path to the configuration module file when defining the modular configuration.

II. Sudo element alias definition

Element aliases can be understood as variables. Alias definitions have strict format requirements. There are four types of aliases in sudo: member object types within aliases are constrained by these four types and are objects that must exist in the system.

1. Define grammatical principles:

a. Syntax: alias type name = object 1, object 2, object 3. b. Aliases can be groups with capital letters, numbers, and underscores, and note that they must be capitalized c. If there are multiple members in the alias, it can be separated by a comma. d. The alias definition must be on the same line, and if the line cannot be written, you can use\ to continue the line. e. Wildcard writing is supported.

2. User_Alias: initiator of the process

Example: define aliases based on user or group name: User_Alias ADMINS = user1,user2,%admins

Example: aliases are defined based on UID or GID: User_Alias ADMINS = # 1023 (UID), user2,%#1099 (GID)

3. Host_Alias: log in to the host

Member objects can be: IP address, hostname, FQDN, CDIR format network number example: Host_Alias CDNSERVERS = 192.168.39.7, 192.168.40.0ax 24, node1, notd2.microcisco.com

4. Runas_Alias: the end user of the process execution

Runas_Alias SRVMGMT=microcisco

5. Cmnd_Alias: a collection of commands that authorized users are allowed to execute

Members of the collection are separated by commas, each command writes an absolute path, and the command supports wildcard matching. If the command to be executed must explicitly specify parameters, the parameters of the command also support wildcard matching.

Example 1: [define installation command set] Cmnd_Alias INSTALL= / bin/rpm, / usr/bin/up2date, / usr/bin/yum

Example 2: [exclude based on wildcards] Cmnd_Alias ADMINCMD = / usr/sbin/useradd,/usr/sbin/usermod, / usr/bin/passwd [a-zA-Z] *,! / usr/bin/passwd root

6. Default user and runas user

Authorization requirements: define authorization template users, grant commonly used permissions to the template users, and other users with permission requirements only need to use the template user as the default account to solve the frequent authorization work. If there are new permission requirements, you only need to authorize the authorization template user.

The default user and runas user can be specified in the configuration file. You can use the-u option to specify the runas user when using sudo, and use the default user when you do not add-u. The definition syntax is as follows:

Defaults:microcisco runas_default=vmlab

Microcisco IPMI= (tom,root) / usr/bin/cat / etc/shadow,NOPASSWD:SOFTWARE

III. Sudo security

1.sudo has its own permissions to delegate sudoedit

The default sudo configuration file / etc/sudoers permission is 440. the master group is root, that is, other users in this file do not have any permissions, and sudoedit is used to authorize which user can edit the sudo configuration file. Just write the sudoedit command in the authorization rule to the executed command list.

Access token lifecycle for 2.sudo

After the sudo authorization is made for the user, the user executes the command and asks to enter his own user password. By default, if you execute the command with sudo within 5 minutes, you do not have to enter the password again. There is a similar access token life cycle mechanism for the secondary visible sudo.

Sudo-V can view the token period. The field is: Authentication timestamp timeout defaults to 5 minutes. The principle is to determine whether the access token expires by detecting the timestamp of the time probe file when executing sudo. The method is to compare the current time of the execution of sudo with the timestamp of the time probe file. If the current time is greater than the timestamp of the time probe file and exceeds 5 minutes, the access token expires and needs to be re-authenticated. The probe file is stored in the / run/sudo/ts directory. According to the production demand, you can modify the token life cycle, visudo edit the configuration file, and add a timeout after the env_reset. For example, env_reset,timesamp_timeout=1sudo-v can reset the timestamp of the time probe file sudo- k to invalidate the sudo cache token by resetting the password time to January 1, 1970. Make it necessary for the user to enter a password when executing a command with sudo this time or next time. Sudo-K invalidate the cache token of sudo by deleting the time probe file.

3. Cancel the password input process when using sudo

For frequently used commands, it is troublesome to re-enter the password each time the sudo token expires, and it will also interrupt the operation of the script when running commands that involve sudo authorization in the shell script.

NOPASSWD can implement sudo secret-free execution commands, but at the same time, there are security risks, so strict authorization must be done. As shown in the following figure

The correct way of authorization

4.sudo wildcard matching causes security vulnerabilities

Wang ALL= (root) / bin/cat / var/log/messages

Expected authorization allows the user wang to view the files at the beginning of messages in the / var/log/ directory.

Security threat: sudo cat / var/log/messages / etc/shadow, the result can be viewed in the shadow file, which represents any length of any character in glob, including spaces, /, and so on.

Considerations for 5.sudo in security practice:

The sudo file has permission suid permission by default, root belongs to the master group, and other users have execution permission. Sudo access token life cycle: after executing sudo to obtain grant token, if you temporarily leave the management machine, execute sudo-k or-K to invalidate the access token obtained by sudo. When doing directory authorization, sudo must explicitly exclude objects that you do not want to authorize. Classic misauthorization based on wildcards do not authorize sudoedit commands to other users. Sudoedit is actually a soft link to sudo commands.

Fourth, the experimental part

1. Edit the default configuration file: visudo2. Define the modular configuration file: visudo-f / etc/sudoers.d/vmlab3. Define alias

4. Define sudo default user

Defaults:microcisco runas_default=vmlab

The sudo command user executes commands by default.

Sudo-u username executes commands with the specified user.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.