Sudo is an arguably safer alternative to logging in (or using the su command) to the root account. Sudo allows you to partition and delegate superuser commands (functions) without giving a user total "root" power on the system. Here are a few other advantages:
# Is sudo installed?
Login with the root user.
Let's first determine if the sudo package is installed.
If the package is not installed, we can retrieve/install it with the following command:
# Create a normal user
Create the user and add to the wheel group. The wheel group is usually predefined as the container for administrator accounts.
Create a password for the user.
# Or modify an existing user
Add an existing user (the user testMod in my example) to the wheel group.
# Modify the sudoers file
Use the visudo command to safely modify the sudoers file.
Search for the Allows people in group wheel to run all commands directive and uncomment the second line to enable the wheelgroup to run all commands.
# Test with a privileged command (logged in as a normal user)
We will first attempt to run the visudo command with our normal user account. As expected, the operation will fail.
Now we will run the command within the context of sudo to temporarily elevate the privileges of our normal user.
# Verify the command is logged
Check the secure log to verify the event is recorded.
This is just a single use case of how to implement sudo. I encourage you to check out the man pages and other documentation to see how you can tailor it to your specific environment.
- Privileged commands are logged. It is a simple way to audit who did what at what point in time.
- It is more efficient to use sudo over su, or to log in as root, in reference to keystrokes.
- You don't have to change the root password when an administrator has his root functions revoked, leaves the company, changes roles, etc. The change part is easy, but coordinating the new password with every other administrator can be a hassle.
# Is sudo installed?
Login with the root user.
Let's first determine if the sudo package is installed.
# rpm -q sudo
If the package is not installed, we can retrieve/install it with the following command:
# yum install sudo
# Create a normal user
Create the user and add to the wheel group. The wheel group is usually predefined as the container for administrator accounts.
# useradd -G wheel -c "Test User" testNew
Create a password for the user.
# passwd testNew
Changing password for user testNew.
New UNIX password: P@$$w0rd
Retype new UNIX password: P@$$w0rd
passwd: all authentication tokens updated successfully.
# Or modify an existing user
Add an existing user (the user testMod in my example) to the wheel group.
# usermod -aG wheel testMod
# Modify the sudoers file
Use the visudo command to safely modify the sudoers file.
# visudo
Search for the Allows people in group wheel to run all commands directive and uncomment the second line to enable the wheelgroup to run all commands.
...Save the file.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
...
# Test with a privileged command (logged in as a normal user)
We will first attempt to run the visudo command with our normal user account. As expected, the operation will fail.
$ /usr/sbin/visudo
visudo: /etc/sudoers: Permission denied
Now we will run the command within the context of sudo to temporarily elevate the privileges of our normal user.
$ sudo -i visudo
[sudo] password for test: P@$$w0rd
# Verify the command is logged
Check the secure log to verify the event is recorded.
$ sudo grep visudo /var/log/secure
...
Aug 21 20:01:20 centos sudo: test : TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=/bin/bash -c visudo
...
This is just a single use case of how to implement sudo. I encourage you to check out the man pages and other documentation to see how you can tailor it to your specific environment.
No comments:
Post a Comment