Posted by: isaraffee | February 6, 2010

Adding User and sudo rule in the sudoers file

Adding User and sudo rule in the sudoers file

One of the way to implement a security principle is to disable the root account and the use of sudo for superuser privileges. This helps with security because it means that you can give people superuser privileges without having to give the root password. Another benefit of using sudo is that you can limit to what commands a user can run. Why give user root access over the entire system which in fact the user need to run some root privileges to run for example apache2ctl. Once a user provide the password, he will not be prompted for password again. This definitely saves time if you need to run several commands. But this is only for a limited amount of time as sudo access is auto-expire. This is useful if you forget to lock terminal and leave your desk.

In this exercise we will add a user to the sudoers file, /etc/sudoers

Before we do this try this. Switch user to a non-root user.

# su – elvin

After that run :

$ sudo fdisk -l
elvin is not in the sudoers file.  This incident will be reported.

The above output shows that the user elvin has not been included in the sudoers file and thus will be reported in a log file.

The message will be logged in the /var/log/auth.log

Feb  6 22:44:31 ismail-laptop sudo:    elvin : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/elvin ; USER=root ; COMMAND=/sbin/fdisk -l

So now let’s include user elvin to the sudoers file.

Remember to edit the /etc/sudoers file, you need to use visudo command.

# visudo

Add the user elvin to the sudoers file as shown below

# User privilege specification
root    ALL=(ALL) ALL
elvin   ALL=(ALL) ALL

Let’s look at what the second line means.

First column is username. If you have many users separate it using commas. The ALL word before equal sign refers to the hostnames. In this instance elvin can run the sudo command on all hosts. The ALL word in parentheses sets which user this sudo rule will run as. In this case it can be run as any user. The final column defines which commands the user can run. In this instance this user can run all commands.

After you have save and quit, try the following command.

$ sudo fdisk -l
[sudo] password for elvin:

Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0005b174

Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1        4391    35270676   83  Linux
/dev/sda2   *        4392        6992    20892532+   7  HPFS/NTFS
/dev/sda3            6993        7296     2441880    5  Extended
/dev/sda5            6993        7296     2441848+  82  Linux swap / Solaris

This shows that you successfully add in user elvin to the sudoers file.

Now let’s say you don’t want elvin to enter the password. You will need to add the word NOPASSWD: before the command column as shown below

# User privilege specification
root    ALL=(ALL) ALL
elvin   ALL=(ALL) NOPASSWD: ALL

Let’s limit the command that user elvin can execute. For example we will only allow elvin to run apachectl command. Edit the sudoers file using visudo and enter the following line.

# User privilege specification
root    ALL=(ALL) ALL
elvin   ALL=(ALL) /usr/sbin/apache2ctl

Save and quit and try to execute commands other than apache2ctl like the fdisk command.

root@ismail-laptop:~# su – elvin
$
$ sudo fdisk -l
[sudo] password for elvin:
Sorry, user elvin is not allowed to execute ‘/sbin/fdisk -l’ as root on ismail-laptop.

This clearly shows that user elvin is restricted from running other commands except apache2ctl.

Now try to run the apache2ctl

$ sudo apache2ctl
Usage: /usr/sbin/apache2ctl start|stop|restart|graceful|graceful-stop|configtest|status|fullstatus
/usr/sbin/apache2ctl <apache2 args>
$ sudo apache2ctl status
Forbidden

You don’t have permission to access /server-status on this server.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.2 with Suhosin-Patch Server at
localhost Port 80

Yes user elvin can run the command except that he has no permission to access the web server.

Advertisements

Responses

  1. It is very very good site to learn, understand.
    I like this.

    • Hi Rama,
      Thanks for such encouraging remarks! I have changed the site and now you can bookmark this new site, http://www.isaraffee.wordpress.com

      Happy reading!
      regards,
      Isa Raffee


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: