Configuring SUDO on Solaris 10...!!!

What is SUDO?

Substitute User Do – a normal user is granted a privilege to execute root owned chosen commands (based on the user’s day today role) reside under /usr/sbin directory.

Why SUDO?

1. Delegating the chosen root owned commands to a privilege user, reduce the root’s load adding the security feature. The privilege user can execute only the commands granted.
2. If a virus, worm or malicious script tries to run on a Unix system it cannot gain necessary privileges without the user typing sudo.  This prevents a lot of malware from running without notifying the user.
3. Another nice thing about sudo is that I type in MY Password, not root’s, to gain the root privileges. So if my account gets compromised, we still have not compromised the root account.
4. Logs both the successful and failure execution of commands leaving a track for event record.

And now, why SUDO on Solaris 10? Does Solaris 10 opt with such feature?

Yes. Solaris 10 have such a feature – RBAC (Role Based Access Control).

SUDO packages has to be downloaded and installed manually in Solaris 10 as it is NOT available on the Solaris 10 OS installation media. (SUDO is available by default in Solaris 11).

From my perspective, even though RBAC has more feature and secure password (RBAC, Roles do have a password. So user needs login password and role password to execute the granted commands), administering RBAC is more complex than SUDO.

Only /usr/local/etc/sudoers is the configuration file that has to be configured nor to be modified.

Whereas, RBAC involves with /etc/user_attr, /etc/security/auth_attr, /etc/security/prof_attr and /etc/security/exec_attr files.

Can download the packages from the link - http://sunfreeware.com/

SUDO packages to be installed on  X86:-

libiconv-1.13.1-sol10-x86-local.gz

libgcc-3.4.6-sol10-x86-local.gz

gcc-3.4.6-sol10-x86-local.gz

libintl-3.4.0-sol10-x86-local.gz

db-4.2.52.NC-sol10-intel-local.gz

make-3.82-sol10-x86-local.gz

wget-1.12-sol10-x86-local.gz

sudo-1.7.4p4-sol10-x86-local.gz

TCMsudo-1.7.4p4-i386.pkg.gz

sudo-1.6.9p23.tar

SUDO packages to be installed on  SPARC:-

libiconv-1.13.1-sol10-sparc-local.gz

libgcc-3.4.6-sol10-sparc-local.gz

gcc-3.4.6-sol10-sparc-local.gz

libintl-3.4.0-sol10-sparc-local.gz

db-4.2.52.NC-sol10-sparc-local.gz

make-3.82-sol10-sparc-local.gz

sudo-1.7.4p4-sol10-sparc-local.gz

TCMsudo-1.7.4p4-sparc.pkg

sudo-1.6.9p23.tar

zlib-1.2.5-sol10-sparc-local.gz

These following 2 packages

1. sudo-1.6.9p23 ( Source Distribution)

2. TCMsudo-1.7.4p4-i386.pkg (Binary Package)

Can be downloaded from the link -  http://www.sudo.ws/sudo/download.html

How?

I wish to recommend the downloaded packages to install in the following order –

bash-3.00# pkgadd -d libiconv-1.13.1-sol10-x86-local

bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local

bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local

bash-3.00# pkgadd -d libintl-3.4.0-sol10-x86-local

bash-3.00# pkgadd -d make-3.82-sol10-x86-local

bash-3.00# pkgadd -d db-4.2.52.NC-sol10-intel-local

bash-3.00# pkgadd -d wget-1.12-sol10-x86-local

bash-3.00# pkgadd -d TCMsudo-1.7.4p4-i386.pkg

bash-3.00# pkgadd -d sudo-1.7.4p4-sol10-x86-local

Only after the successful installation of the above 2 packages /usr/local/etc/sudoers file will be generated.

bash-3.00# cd sudo-1.6.9p23

bash-3.00# ls configure

configure

Run the configure file by ./configure

bash-3.00# ./configure

On successful installation and execution of ./configure script move to the dir /usr/local/etc to ensure the presence of sudoers and wgetrc file

Set the PATH variable for sudo

bash-3.00# export PATH=$PATH:/usr/local/bin:/usr/local/sbin

To make it permanent make entry in /etc/profile file

To ensure that PATH variable is set

bash-3.00# echo $PATH

/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

Now let us discuss the entries to the /usr/local/etc/sudoers file on order

## User alias specification

##

## Groups of users.  These may consist of user names, uids, Unix groups,

## or netgroups.

# User_Alias    ADMINS = millert, dowdy, mikef

User_Alias SYSADMIN = scbose, malcomx

(Output Truncated…)

Where –

User_Alias – is the key word state that we are defining the user alias names.

SYSADMIN – is the user_alias variable

scbose, malcomx – are the existing users who have the entry to the local system file /etc/passwd.

Guys, kindly note User_Alias, Cmd_Alias, Host_Alias variable should NOT be same.

 

## Cmnd alias specification

##

## Groups of commands.  Often used to group related commands together.

# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \

#                           /usr/bin/pkill, /usr/bin/top

Cmnd_Alias USERADMIN = /usr/sbin/useradd, /usr/bin/passwd, \

                        /usr/sbin/groupadd, /usr/sbin/gropmod,\
                        /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel

Cmd_Alias SYSADMIN_CMDS = /usr/sbin/init, /usr/sbin/shutdown, /usr/sbin/reboot \

                                /usr/sbin/halt

(Output Truncated…)

 

Where –

Cmnd_Alias – is the key word state that we are defining the command alias names.

USERAMIN, SYSADMIN_CMDS – is the command alias variable.

Command alias variable is mapped with several commands (Here for instance: /usr/sbin/useradd, /usr/bin/passwd,/usr/sbin/groupadd, /usr/sbin/gropmod, /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel, /usr/sbin/init, /usr/sbin/shutdown, /usr/sbin/reboot, /usr/sbin/halt).

 

## User privilege specification

##

root ALL=(ALL) ALL

che ALL=(ALL) ALL

NewUser ALL=/usr/sbin/useradd, /usr/bin/passwd

castro ALL=USERADMIN, SYSADMIN_CMDS

SYSADMIN ALL=SYSADMIN_CMDS

(Output Truncated…)

Where –

New_User – Existing user login name

ALL = Terminals user can execute from

Followed with commands granted to the user to execute, or the command alias (all the commands mapped to the command alias can be executed by the user).

The syntax is like so:

USER ALL=(ALL) ALL

Where –

USER  = The user.

ALL = Terminals user can execute from

(ALL) = The users USER can act as.

ALL = The commands USER can run.

Note:

1. By default, sudo command will cache the password for 5 min for each command so it’s not necessary to enter password again for the same command until the cache password expires.
2. /etc/sudoers file will be read each time when the command is being executed.

The modification (restricting/adding commands to the existing user) done on the /etc/sudoers file will come into effect immediately.

3. If wished, do not want the user to be asked for their password when running sudo:

USER ALL= (ALL) ALL NO PASSWD: ALL

Possible, but not a good idea! :) 

By default all the activity performed through sudo will be logged to /var/adm/messages file.

However, it can be customized. Can sudo logs to a specific file. But make sure that file is created and granted with valid file permissions.

Here, I’m customizing the sudo logs to the file : /var/log/sudo_log

# Defaults log_output

Defaults logfile=/var/log/sudo_log

(Output Truncated…)

Example log from the /var/adm/messages file:

Dec 17 04:24:05 veritas sudo: [ID 702911 auth.alert]  NewUser : command not allowed ; TTY=pts/8 ; PWD=/export/home/NewUser ; USER=root ; COMMAND=useradd -m -e /export/home/Jack Jack

 

Dec 17 04:28:59 veritas sudo: [ID 702911 auth.alert]   castro : command not allowed ; TTY=pts/8 ; PWD=/export/home/castro_home ; USER=che ; COMMAND=/usr/sbin/useradd -m -d /export/home/Rose Rose

Dec 17 04:30:12 veritas sudo: [ID 702911 auth.alert]   castro : command not allowed ; TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root ; COMMAND=list

Dec 17 04:32:10 veritas sudo: [ID 702911 auth.alert]  malcomx : command not allowed ; TTY=pts/7 ; PWD=/export/home/malcomx ; USER=che ; COMMAND=/bin/sh

Dec 17 04:33:07 veritas sudo: [ID 702911 auth.alert]  malcomx : command not allowed ; TTY=pts/7 ; PWD=/export/home/malcomx ; USER=root ; COMMAND=list

Entry from the customized sudo log file:

Dec 18 01:13:11 : che : TTY=pts/7 ; PWD=/export/home/che_home ; USER=root ; COMMAND=list

Dec 18 01:13:47 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root

    ; COMMAND=list

Dec 18 01:14:40 : castro : command not allowed ; TTY=pts/8 ;

    PWD=/export/home/castro_home ; USER=root ; COMMAND=/usr/sbin/useradd -m -d

    /export/home/TestUser TestUser

Dec 18 01:46:54 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root

    ; COMMAND=/usr/sbin/useradd -m -d /export/home/TestUser TestUser

Dec 18 01:47:15 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root

    ; COMMAND=/usr/bin/passwd TestUser

 

From the above logs, it’s very clear that both the successful and failure events are logged.

To know the granted commands to the user through sudo:

bash-3.00# /usr/local/bin/sudo -l -U malcomx

User malcomx may run the following commands on this host:

    (root) SYSADMIN_CMDS

Successful and failure execution of granted commands through sudo:

bash-3.00$ /usr/sbin/useradd -m -d /export/home/Romeo Romeo

UX: /usr/sbin/useradd: ERROR: Permission denied.

bash-3.00$ /usr/local/bin/sudo /usr/sbin/useradd -m -d /export/home/Romeo Romeo

80 blocks

bash-3.00$ /usr/local/bin/sudo /usr/bin/passwd Romeo

New Password:

Re-enter new Password:

passwd: password successfully changed for Romeo

Now I guess that  we are bit familiar with configuration of sudo and its features.

Even though RBAC had some hurdle, let me come with RBAC configuration on my next post :)…!!!