Wednesday, December 18, 2013

Configuring SUDO on Solaris 10...!!!

What is SUDO?

Substitute User Do – a normal user is granted a privilege to execute root owned chosen commands (based on the user’s day today role) reside under /usr/sbin directory.



Why SUDO?

  1. Delegating the chosen root owned commands to a privilege user, reduce the root’s load adding the security feature. The privilege user can execute only the commands granted.
  2. If a virus, worm or malicious script tries to run on a Unix system it cannot gain necessary privileges without the user typing sudo.  This prevents a lot of malware from running without notifying the user.
  3. Another nice thing about sudo is that I type in MY Password, not root’s, to gain the root privileges. So if my account gets compromised, we still have not compromised the root account.
  4. Logs both the successful and failure execution of commands leaving a track for event record.

And now, why SUDO on Solaris 10? Does Solaris 10 opt with such feature?

Yes. Solaris 10 have such a feature – RBAC (Role Based Access Control).
SUDO packages has to be downloaded and installed manually in Solaris 10 as it is NOT available on the Solaris 10 OS installation media. (SUDO is available by default in Solaris 11).

From my perspective, even though RBAC has more feature and secure password (RBAC, Roles do have a password. So user needs login password and role password to execute the granted commands), administering RBAC is more complex than SUDO.

Only /usr/local/etc/sudoers is the configuration file that has to be configured nor to be modified.
Whereas, RBAC involves with /etc/user_attr, /etc/security/auth_attr, /etc/security/prof_attr and /etc/security/exec_attr files.


Can download the packages from the link - http://sunfreeware.com/

SUDO packages to be installed on  X86:-
libiconv-1.13.1-sol10-x86-local.gz
libgcc-3.4.6-sol10-x86-local.gz
gcc-3.4.6-sol10-x86-local.gz
libintl-3.4.0-sol10-x86-local.gz
db-4.2.52.NC-sol10-intel-local.gz
make-3.82-sol10-x86-local.gz
wget-1.12-sol10-x86-local.gz
sudo-1.7.4p4-sol10-x86-local.gz
TCMsudo-1.7.4p4-i386.pkg.gz
sudo-1.6.9p23.tar

SUDO packages to be installed on  SPARC:-
libiconv-1.13.1-sol10-sparc-local.gz
libgcc-3.4.6-sol10-sparc-local.gz
gcc-3.4.6-sol10-sparc-local.gz
libintl-3.4.0-sol10-sparc-local.gz
db-4.2.52.NC-sol10-sparc-local.gz
make-3.82-sol10-sparc-local.gz
sudo-1.7.4p4-sol10-sparc-local.gz
TCMsudo-1.7.4p4-sparc.pkg
sudo-1.6.9p23.tar
zlib-1.2.5-sol10-sparc-local.gz


These following 2 packages
1. sudo-1.6.9p23 ( Source Distribution)
2. TCMsudo-1.7.4p4-i386.pkg (Binary Package)

Can be downloaded from the link -  http://www.sudo.ws/sudo/download.html


How?
I wish to recommend the downloaded packages to install in the following order –

bash-3.00# pkgadd -d libiconv-1.13.1-sol10-x86-local
bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local
bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local
bash-3.00# pkgadd -d libintl-3.4.0-sol10-x86-local
bash-3.00# pkgadd -d make-3.82-sol10-x86-local
bash-3.00# pkgadd -d db-4.2.52.NC-sol10-intel-local
bash-3.00# pkgadd -d wget-1.12-sol10-x86-local
bash-3.00# pkgadd -d TCMsudo-1.7.4p4-i386.pkg
bash-3.00# pkgadd -d sudo-1.7.4p4-sol10-x86-local


Only after the successful installation of the above 2 packages /usr/local/etc/sudoers file will be generated.
bash-3.00# cd sudo-1.6.9p23
bash-3.00# ls configure
configure


Run the configure file by ./configure
bash-3.00# ./configure

On successful installation and execution of ./configure script move to the dir /usr/local/etc to ensure the presence of sudoers and wgetrc file

Set the PATH variable for sudo
bash-3.00# export PATH=$PATH:/usr/local/bin:/usr/local/sbin

To make it permanent make entry in /etc/profile file
To ensure that PATH variable is set
bash-3.00# echo $PATH
/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

Now let us discuss the entries to the /usr/local/etc/sudoers file on order

## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef
User_Alias SYSADMIN = scbose, malcomx
(Output Truncated…)

Where –
User_Alias – is the key word state that we are defining the user alias names.
SYSADMIN – is the user_alias variable
scbose, malcomx – are the existing users who have the entry to the local system file /etc/passwd.



Guys, kindly note User_Alias, Cmd_Alias, Host_Alias variable should NOT be same.
 
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#                           /usr/bin/pkill, /usr/bin/top

Cmnd_Alias USERADMIN = /usr/sbin/useradd, /usr/bin/passwd, \
                        /usr/sbin/groupadd, /usr/sbin/gropmod,\
                        /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel

Cmd_Alias SYSADMIN_CMDS = /usr/sbin/init, /usr/sbin/shutdown, /usr/sbin/reboot \
                                /usr/sbin/halt
(Output Truncated…)

 
Where –
Cmnd_Alias – is the key word state that we are defining the command alias names.
USERAMIN, SYSADMIN_CMDS – is the command alias variable.
Command alias variable is mapped with several commands (Here for instance: /usr/sbin/useradd, /usr/bin/passwd,/usr/sbin/groupadd, /usr/sbin/gropmod, /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel, /usr/sbin/init, /usr/sbin/shutdown, /usr/sbin/reboot, /usr/sbin/halt).
 




## User privilege specification
##
root ALL=(ALL) ALL


che ALL=(ALL) ALL
NewUser ALL=/usr/sbin/useradd, /usr/bin/passwd
castro ALL=USERADMIN, SYSADMIN_CMDS
SYSADMIN ALL=SYSADMIN_CMDS
(Output Truncated…)


Where –
New_User – Existing user login name
ALL = Terminals user can execute from
Followed with commands granted to the user to execute, or the command alias (all the commands mapped to the command alias can be executed by the user).


The syntax is like so:
USER ALL=(ALL) ALL
Where –
USER  = The user.
ALL = Terminals user can execute from
(ALL) = The users USER can act as.
ALL = The commands USER can run.


Note:
  1. By default, sudo command will cache the password for 5 min for each command so it’s not necessary to enter password again for the same command until the cache password expires.
  2. /etc/sudoers file will be read each time when the command is being executed.
The modification (restricting/adding commands to the existing user) done on the /etc/sudoers file will come into effect immediately.
  1. If wished, do not want the user to be asked for their password when running sudo:
USER ALL= (ALL) ALL NO PASSWD: ALL
Possible, but not a good idea! :) 


By default all the activity performed through sudo will be logged to /var/adm/messages file.
However, it can be customized. Can sudo logs to a specific file. But make sure that file is created and granted with valid file permissions.

Here, I’m customizing the sudo logs to the file : /var/log/sudo_log

# Defaults log_output
Defaults logfile=/var/log/sudo_log

(Output Truncated…)


Example log from the /var/adm/messages file:
Dec 17 04:24:05 veritas sudo: [ID 702911 auth.alert]  NewUser : command not allowed ; TTY=pts/8 ; PWD=/export/home/NewUser ; USER=root ; COMMAND=useradd -m -e /export/home/Jack Jack
 
Dec 17 04:28:59 veritas sudo: [ID 702911 auth.alert]   castro : command not allowed ; TTY=pts/8 ; PWD=/export/home/castro_home ; USER=che ; COMMAND=/usr/sbin/useradd -m -d /export/home/Rose Rose

Dec 17 04:30:12 veritas sudo: [ID 702911 auth.alert]   castro : command not allowed ; TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root ; COMMAND=list

Dec 17 04:32:10 veritas sudo: [ID 702911 auth.alert]  malcomx : command not allowed ; TTY=pts/7 ; PWD=/export/home/malcomx ; USER=che ; COMMAND=/bin/sh

Dec 17 04:33:07 veritas sudo: [ID 702911 auth.alert]  malcomx : command not allowed ; TTY=pts/7 ; PWD=/export/home/malcomx ; USER=root ; COMMAND=list



Entry from the customized sudo log file:
Dec 18 01:13:11 : che : TTY=pts/7 ; PWD=/export/home/che_home ; USER=root ; COMMAND=list
Dec 18 01:13:47 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
    ; COMMAND=list
Dec 18 01:14:40 : castro : command not allowed ; TTY=pts/8 ;
    PWD=/export/home/castro_home ; USER=root ; COMMAND=/usr/sbin/useradd -m -d
    /export/home/TestUser TestUser
Dec 18 01:46:54 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
    ; COMMAND=/usr/sbin/useradd -m -d /export/home/TestUser TestUser
Dec 18 01:47:15 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
    ; COMMAND=/usr/bin/passwd TestUser

 
From the above logs, it’s very clear that both the successful and failure events are logged.


To know the granted commands to the user through sudo:
bash-3.00# /usr/local/bin/sudo -l -U malcomx
User malcomx may run the following commands on this host:
    (root) SYSADMIN_CMDS


Successful and failure execution of granted commands through sudo:
bash-3.00$ /usr/sbin/useradd -m -d /export/home/Romeo Romeo
UX: /usr/sbin/useradd: ERROR: Permission denied.
bash-3.00$ /usr/local/bin/sudo /usr/sbin/useradd -m -d /export/home/Romeo Romeo
80 blocks
bash-3.00$ /usr/local/bin/sudo /usr/bin/passwd Romeo
New Password:
Re-enter new Password:
passwd: password successfully changed for Romeo


Now I guess that  we are bit familiar with configuration of sudo and its features.
Even though RBAC had some hurdle, let me come with RBAC configuration on my next post :)…!!!


5 comments:

  1. Freeware is not working to down load can you sugget a diffrenet source to dowload the sudo pakages

    ReplyDelete
  2. Hi Anonymous,
    I still able to find and download the packages from the link.
    Please try again.
    Try these links too : http://sunfreeware.saix.net/
    http://www.sudo.ws/

    Good Luck.

    ReplyDelete
  3. Great and Thanks. I was looking for sudo logging and found it here.

    ReplyDelete
  4. Hi, i have an issue after installing and configuring sudo, it worked in perfectly in several workstations but in one in particular the Non-root user i created cant execute sudo at all, the sudoers file seems to be correctly set up since this command "/usr/local/bin/sudo -l -U malcomx" returns every command the user is supposed to be able to execute with sudo, but even trying to execute sudo alone as the user returns this

    $ /usr/local/bin/sudo
    /usr/local/bin/sudo: cannot execute

    $ ls -l /usr/local/bin/sudo
    /usr/local/bin/sudo: Permission denied

    i may have installed the packages in different order by mistake...then reinstalled them correctly, i dont know if this could be the problem.

    Do you have any idea what could be causing this?

    Thanks!.

    ReplyDelete
    Replies
    1. Hi,
      Try executing, /usr/local/bin/sudo -l as the user (here) malcomx. On Solaris, the path would have not exported.
      Eg: /usr/local/bin/sudo /usr/bin/passwd would work. (Replace with the command delegated).

      Let me know if the issue get resolved.
      Good Luck.

      Delete