Wednesday, February 17, 2010

Linux : Security Administration - SUDO

SUDO - LINUX
RBAC - Solaris - Role Based Access Control


Sudo is the concept of giving permission to access only the selected commands.

Configuration files:
/etc/sudoers
/etc/sudo

What to do?
/etc/sudoers
1. This file will be present by default.
2. Editable file by the 'root' user.

We have to edit the file in 3 areas.
a. User_Alias specification:
Here we assign a variable to the (sudo-authenticated) user.
We can add any number of user to the file.

b. Command_Alias specification:
Here we assign a variable to the command which can
be executed by the sudo users.

c. User_privilege specification
Here we map the User_Alias variable with the
Commabd_Alias variable.

/etc/sudo
1. This file will NOT be present by default.
2. This file has to be created mannualy.
3. This file will be reffred by the # sudo command
4. Will have to edit the file with
a. User_Alias specification
b. Command_Alias specification
c. User_privilege specification


Note:

1. Before implementing the sudo, make sure that the user account is present.
2. When the user is trying to execute the permitted commands, system prompts for the "authenticated" user password.
3. If in a file # is there, then the whole line is commented out and the system will not read the entry to the file.


How to do? - Configuration:
I.

Example entry to the file /etc/sudoers
# User_Alias specification
# User_Alias ADMINS = jsmith, mikem
# The following entries are edited
User_Alias CHE = che
User_Alias CASTRO = castro



Changes done to the file:


# Command_Alias specification
# The following 2 lines are edited

Cmnd_Alias B1 = /usr/sbin/useradd
Cmnd_Alias B2 = /usr/bin/passwd


# User_priviledge specification
root ALL=(ALL) ALL
# the following 2 lines are edited

CHE ALL = B1,B2
CASTRO ALL = B1,B2


Save the file and exit.


II.
Example entry of the file /etc/sudo
# This file will not be present by default
# This file has to be created

# User_Alias name specification
User_Alias CHE = che
User_Alias CASTRO = castro


# Command_Alias specification
Cmnd_Alias BB1 = /usr/sbin/useradd
Cmnd_Alias BB2 = /usr/bin/passwd

# User privileged specification
root ALL = (ALL) ALL
CHE ALL = BB1,BB2
CASTRO ALL = BB1, BB2

Save the file and exit.

In the above files, variables are assigned against the user name and the commands.

To check:
1. Login as the user named che and castro
2. When normally executing the commands
# useradd and # passwd

They are not permitted to execute the commands.
3. So
$ sudo /usr/sbin/useradd
$ sudo /usr/bin/passwd

They have to execute the commands as above.

2 comments:

  1. hey manickam,

    this article turned out to an absolutely informative thing....hw bout the configuration SUDO in Solaris....any idea....??

    ReplyDelete
  2. Hi Chetan Honnavile -
    Apologies for the delay in my response.
    With ref to the comment above, SUDO had been tested on Solaris box and the same is posted.
    Please ref to the link - http://solaris-unlimited.blogspot.com/2013/12/configuring-sudo-on-solaris-10.html

    Thanks much.
    Good Luck.

    ReplyDelete