Protecting your root account in CentOS6 Part 1 – sudo command

The “sudo” command allows to run programs under root privileges or under the privileges of another user. This is done in order to avoid logging in as root each time you want to execute a program that requires elevated privileges. With sudo for example you can assign user “george” to run a specific set of commands. User “george” will need to enter his own password to execute those commands. In other words user “george” is not logging in as root.  The “sudo” command is very useful because you can create groups of users and actual groups that run a specific set of commands and another set of users/groups that run another set of commands. In no point any of these users will access the root account when “sudo” is setup.

With “sudo” you can specify which specific commands a:

  • User can run
  • Group can run
  • From which host the user/group can run those specific set of commands.

With “sudo” you can also create aliases of users/groups/commands/hostnames in order to make administation of  “sudo” easier. So for example you can create an alias called “tools” which will is assigned a specific set of commands or folder with commands. The alias then called “tools” can be assigned to be run for any user or group that belongs under the alias “admins”. This will be shown below how it is done.

 

1) Get the sudo program.

As root type  

yum install sudo

 

2) Configure sudo

The config file for “sudo” is called “sudoers” and is located in the /etc folder. For security reasons you only allowed to alter this file by using the visudo command. There are work arounds to this but honestly I do not understand why anyone would want to comprise this file like that. The neat part “sudo” is that if you have configured it wrong it will let you know after you saved the file. So now lets start with a basic setup and progress our way up to a more complex set. As root type visudo.

The way you setup a user/group to a specific set of commands is by declaring the following:  username or group from a host can run these commands. Below are examples.

  • Setup  user “george”  to use a set of commands.
george  10.0.0.4/255.255.255.0 =/user/sbin

What the above means is that user george from host 10…/…255.0 can have access to all programs with in the /user/bin folder. You can change the ip address with the actual host name if you wish to do so.

  • Setup groups dba, admins to use a set of commands
%dba, %admins ALL = ALL

The % tells “sudo” that this is a group.  The first keyword ALL tells “sudo” that anybody that belongs to the groups mentioned earlier can execute commands no matter where they are logged in from. The second keyword tells “sudo” that anybody that belongs to the groups mentioned earlier can execute all commands. We could have very easily put a specific host and a specific folder or command respectively but now you see  you can use the ALL keyword as well.

  • Setup aliases to make it easier to administer sudo.

The lines below are lines from my actual sudo setup. With some alterations for security reasons :). If you read the lines through it will make sense to what I just did but I will explain each one of them.

Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

User_Alias ADMINS = george, zelda, pacwoman

Host_Alias HOMESERVERS= 10.0.0.4/255.255.255.0

ADMINS HOMESERVERS = SERVICES

 

Explanation:

  • Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

In this line I created an Alias for commands. The keyword to use which is case sensitive is Cmnd_Alias.  After the keyword you need to name your alias which in my case I chose the word SERVICES.  After you choose the name of your alias you will need to assign to this alias commands and/or folders.

 

  • User_Alias ADMINS = george, zelda, pacwoman

In this line I created an alias for users. The keyword to use which is case sensitive is User_Alias. After the keyword you need to name your alias which in my case I chose the word ADMINS. After you choose the name of your alias you will need to assign to this alias the users you wish.

 

  • Host_Alias HOMESERVERS= 10.0.0.4/255.255.255.0

They keyword to use which is case sensitive is Host_Alias. After the keyword you need to name your alias which in my case I chose the word HOMESERVERS. After you choose the name of your alias you will need to assign to this alias the hostnames allowed to run these commands.

 

  • ADMINS HOMESERVERS = SERVICES

Here we are saying that alias ADMINS from hostnames HOMESERVERS can run any commands associated with SERVICES.

 

Deny access feature: You can use the exclamation point to flat out deny access to commands and/or folders. Here are some examples taken from above.

george  10.0.0.4/255.255.255.0 =!/user/sbin

ADMINS HOMESERVERS =! SERVICES

With the above lines you are effectevely saying that user george cannot run any of the commands under the folder /user/sbin.  On the second line you are saying that anybody that belongs under the alias ADMINS cannot run any of the commands associated with the alias SERVICES.

 

Note1: It should be noted that it is more effective to use groups to assign permissions. So for example you can have a group called “DBA” and you assign the appropriate permissions for all users under that group.

Note2: You can setup sudo to not request the user for a password but I do not understand the logic behind that. Why take away a layer of safety? I am not sure.

Share Button

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload the CAPTCHA.