Friday, August 28, 2015

SUDO Configuration with case study...!!!


What is SUDO?

Substitute User Do – a normal user is granted a privilege to execute root owned chosen commands (based on the user’s day today role) reside under /usr/sbin directory.



Why SUDO?
  1. Delegating the chosen root owned commands to a privilege user, reduce the root’s load adding the security feature. The privilege user can execute only the commands granted.
  2. If a virus, worm or malicious script tries to run on a UNIX system it cannot gain necessary privileges without the user typing SUDO.  This prevents a lot of malware from running without notifying the user.
  3. Another nice thing about SUDO is that I type in MY Password, not root’s, to gain the root privileges. So if my account gets compromised, we still have not compromised the root account.
  4. Logs both the successful and failure execution of commands leaving a track for event record.

  As ROOT:
[root@localhost etc]# useradd TestUser1
[root@localhost etc]# passwd TestUser1
Changing password for user TestUser1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.



 As standard user - TestUser1:
login as: TestUser1
TestUser1@192.168.110.128's password:
 This is a Linux production box. Kindly handle it carefully.
Only authenticated persons are permitted to login to the system, violating the same will be legally penalized.
[TestUser1@localhost ~]$ whoami
TestUser1
[TestUser1@localhost ~]$ init 0
init: Need to be root
[TestUser1@localhost ~]$ useradd TestUser2
-bash: /usr/sbin/useradd: Permission denied


Case -1:
1.       Creating a new User_Alias with the name as – L1ADMINS.
2.       Adding the user “TestUser1” to the User_Alias.
3.       Creating a new command alias Cmnd_Alias with the name as – L1CMNDS. This command alias includes the commands - /usr/sbin/useradd, /user/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
4.       Mapping the User_Alias L1ADMINS with the command alias L1CMDS.

This will grant the user “TestUser1” to execute the commands mapped against the L1CMDS alias.


As ROOT:
[root@localhost ~]# cd /etc
[root@localhost etc]# cp sudoers sudoers.orig_bkp
[root@localhost ~]# vi /etc/sudoers

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
User_Alias L1ADMINS = TestUser1

## Command Aliases
## These are groups of related commands...
Cmnd_Alias L1CMNDS = /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd


## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser1 ALL=(ALL) L1CMNDS
(Output Truncated…)

[root@localhost etc]# sudo -U TestUser1 -l
Matching Defaults entries for TestUser1 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser1 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd


As SUDO User:
[TestUser1@localhost ~]$ id
uid=505(TestUser1) gid=506(TestUser1) groups=506(TestUser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser1@localhost ~]$ whoami
TestUser1
[TestUser1@localhost ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for TestUser1:
Matching Defaults entries for TestUser1 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser1 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd


[TestUser1@localhost ~]$ useradd TestUser2
-bash: /usr/sbin/useradd: Permission denied
[TestUser1@localhost ~]$ sudo useradd TestUser2
[TestUser1@localhost ~]$ sudo passwd TestUser2
Changing password for user TestUser2.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[TestUser1@localhost ~]$ id TestUser2
uid=506(TestUser2) gid=507(TestUser2) groups=507(TestUser2)


Case -2:

As ROOT:
1.       Granting  the user “TestUser2” to execute the commands - /usr/sbin/useradd, /user/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd
directly.
2.       NOPASSWD: will not prompt the user for the password whilst executing the commands using SUDO.




[root@localhost ~]# vi /etc/sudoers
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser1 ALL=(ALL) L1CMNDS
TestUser2 ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /usr/bin/passwd
(Output Truncated…)


[root@localhost etc]# sudo -U TestUser2 -l
Matching Defaults entries for TestUser2 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser2 may run the following commands on this host:
    (ALL) NOPASSWD: /usr/sbin/useradd, (ALL) /usr/sbin/usermod, (ALL) /usr/sbin/userdel, (ALL) /sbin/shutdown, (ALL)
    /usr/bin/passwd




As SUDO User:
[TestUser2@localhost ~]$ id
uid=506(TestUser2) gid=507(TestUser2) groups=507(TestUser2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser2@localhost ~]$ whoami
TestUser2

[TestUser2@localhost ~]$ sudo -l
Matching Defaults entries for TestUser2 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser2 may run the following commands on this host:
    (ALL) NOPASSWD: /usr/sbin/useradd, (ALL) /usr/sbin/usermod, (ALL) /usr/sbin/userdel, (ALL) /sbin/shutdown, (ALL)
    /usr/bin/passwd




Case -3:
As ROOT:
1.       Granting the user “TestUser3” to execute all the commands listed under the command alias L1CMDS.

[root@localhost ~]# vi /etc/sudoers
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser1 ALL=(ALL)   L1CMNDS
TestUser2 ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /usr/bin/passwd
TestUser3 ALL=(ALL) L1CMNDS
(Output Truncated…)

[root@localhost etc]# sudo -U TestUser3 -l
Matching Defaults entries for TestUser3 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser3 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd


As SUDO User:
[TestUser3@localhost ~]$ id
uid=507(TestUser3) gid=508(TestUser3) groups=508(TestUser3) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser3@localhost ~]$ whoami
TestUser3
[TestUser3@localhost ~]$ sudo -l
Matching Defaults entries for TestUser3 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser3 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd

[TestUser3@localhost ~]$ sudo useradd TestUser4
[TestUser3@localhost ~]$ sudo passwd TestUser4
Changing password for user TestUser4.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.


Case -4:
1.       Mapping the users – “TestUser5, TestUser6, TestUser7, TestUser8, TestUser9” to the existing User_Alias L1ADMINS. So going forward, it’s not necessary to specify each user name to grant access; instead User_Alias name L1ADMIN can be used.
2.       Mapping the listed users under User_Alias L1ADMIN to the command alias L1CMNDS.
This will ensure that, all the listed users under the User_Alias L1ADMINS are granted access to execute all the commands listed under the command alias L1CMNDS.


As ROOT:
[root@localhost etc]# vi /etc/sudoers
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem

User_Alias L1ADMINS = TestUser1, TestUser5, TestUser6, TestUser7, TestUser8, TestUser9

Cmnd_Alias L1CMNDS = /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser1 ALL=(ALL)   L1CMNDS
TestUser2 ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /usr/bin/passwd
TestUser3 ALL=(ALL) L1CMNDS
L1ADMINS ALL=(ALL) L1CMNDS
(Output Truncated…)

[root@localhost etc]# sudo -U TestUser5 -l
Matching Defaults entries for TestUser5 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser5 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd



As SUDO User:
[TestUser5@localhost ~]$ id
uid=509(TestUser5) gid=510(TestUser5) groups=510(TestUser5) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser5@localhost ~]$ whoami
TestUser5
[TestUser5@localhost ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for TestUser5:
Matching Defaults entries for TestUser5 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser5 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd



Case -5:
1.       Granting the user “TestUser0” complete root access. This user can execute any commands that are executed by the super user ‘root’.

As ROOT:
[root@localhost etc]# vi /etc/sudoers

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser0 ALL=(ALL) ALL
TestUser1 ALL=(ALL)   L1CMNDS
TestUser2 ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /usr/bin/passwd
TestUser3 ALL=(ALL) L1CMNDS
L1ADMINS ALL=(ALL) L1CMNDS
(Output Truncated…)


[root@localhost etc]# sudo -U TestUser0 -l
Matching Defaults entries for TestUser0 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser0 may run the following commands on this host:
    (ALL) ALL


As SUDO User:
[TestUser0@localhost ~]$ id
uid=514(TestUser0) gid=515(TestUser0) groups=515(TestUser0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser0@localhost ~]$ whoami
TestUser0
[TestUser0@localhost ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for TestUser0:
Matching Defaults entries for TestUser0 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser0 may run the following commands on this host:
    (ALL) ALL

[TestUser0@localhost ~]$ sudo useradd -c "R&D Users" NewUser1
[TestUser0@localhost ~]$ sudo passwd NewUser1
Changing password for user NewUser1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.




Case -6:
1.       Granting the user “TestUser10” to execute all the commands similar to root, but, restricting the user “TestUser10” to use the commands - /usr/bin/useradd, /usr/sbin/usermod, /usr/sbin/userdel.

As ROOT:
[root@localhost etc]# vi /etc/sudoers
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
TestUser0 ALL=(ALL) ALL
TestUser1 ALL=(ALL)   L1CMNDS
TestUser2 ALL=(ALL) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /usr/bin/passwd
TestUser3 ALL=(ALL) L1CMNDS
L1ADMINS ALL=(ALL) L1CMNDS
TestUser10 ALL=(ALL) ALL, !/usr/sbin/useradd, !/usr/sbin/usermod, !/usr/sbin/userdel
(Output Truncated…)


[root@localhost etc]# sudo -U TestUser10 -l
Matching Defaults entries for TestUser10 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser10 may run the following commands on this host:
    (ALL) ALL, (ALL) !/usr/sbin/useradd, (ALL) !/usr/sbin/usermod, (ALL) !/usr/sbin/userdel



As SUDO User:
[TestUser10@localhost ~]$ id
uid=517(TestUser10) gid=518(TestUser10) groups=518(TestUser10) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[TestUser10@localhost ~]$ whoami
TestUser10
[TestUser10@localhost ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for TestUser10:
Matching Defaults entries for TestUser10 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User TestUser10 may run the following commands on this host:
    (ALL) ALL, (ALL) !/usr/sbin/useradd, (ALL) !/usr/sbin/usermod, (ALL) !/usr/sbin/userdel

[TestUser10@localhost ~]$ sudo useradd -c "R&D Users" NewUser3
Sorry, user TestUser10 is not allowed to execute '/usr/sbin/useradd -c R&D Users NewUser3' as root on localhost.localdomain.



Case -7:
1.       Granting the group named “admin” to execute all the commands listed under the command alias L1CMNDS.
2.       Users belong the group “admin” are permitted to execute all the commands under the command alias L1CMNDS.

As ROOT:
[root@localhost etc]# vi /etc/sudoers
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
%admin ALL=(ALL) L1CMNDS
(Output Truncated…)

[root@localhost etc]# sudo -U NewUser0 -l
Matching Defaults entries for NewUser0 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User NewUser0 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd



As SUDO User:
[NewUser0@localhost ~]$ id
uid=515(NewUser0) gid=521(admin) groups=521(admin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost ~]$ whoami
NewUser0
[NewUser0@localhost ~]$ sudo -l
[sudo] password for NewUser0:
Matching Defaults entries for NewUser0 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User NewUser0 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd

[NewUser0@localhost ~]$ sudo useradd -c "R&D Users" NewUser6
[NewUser0@localhost ~]$ sudo passwd NewUser6
Changing password for user NewUser6.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@localhost etc]# grep admin /etc/group
desktop_admin_r:x:499:
admin:x:521:
[root@localhost etc]# id NewUser0
uid=515(NewUser0) gid=521(admin) groups=521(admin)
[root@localhost etc]# groupmod -n usradmin admin
[root@localhost etc]# grep -i usradmin /etc/group
usradmin:x:521:
[root@localhost etc]# id NewUser0
uid=515(NewUser0) gid=521(usradmin) groups=521(usradmin)
[root@localhost etc]# id NewUser1
uid=516(NewUser1) gid=521(usradmin) groups=521(usradmin)
[root@localhost etc]# id NewUser2
uid=518(NewUser2) gid=521(usradmin) groups=521(usradmin)

Case -8:
1.       Changing the group name from “admin” to “usradmin”.  This will replicate and ensure all the users belonged to group “admin” is moved to the renamed group “usradmin”.
2.       However, once the group name is changed, the users under “usradmin” are NOT permitted to execute the commands as earlier.  This is because, the “admin” group is updated on the /etc/sudoers configuration file.
3.       So, the group name in the file /etc/sudoers has to be changed as – “usradmin”. Once the changes are done, user belong to the group “usradmin” can execute all the commands listed under the command alias L1CMNDS.


As SUDO User:
login as: NewUser0
NewUser0@192.168.110.128's password:
Last login: Sat Jul  4 22:05:09 2015 from 192.168.110.1
 This is a Linux production box. Kindly handle it carefully.
Only authenticated persons are permitted to login to the system, violating the same will be legally penalized.
[NewUser0@localhost ~]$ id
uid=515(NewUser0) gid=521(usradmin) groups=521(usradmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost ~]$ whoami
NewUser0
[NewUser0@localhost ~]$ sudo -l
[sudo] password for NewUser0:
Sorry, user NewUser0 may not run sudo on localhost.

As ROOT:

[root@localhost etc]# vi /etc/sudoers
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
%usradmin ALL=(ALL) L1CMNDS
(Output Truncated…)



  
As SUDO User:

[NewUser0@localhost ~]$ id
uid=515(NewUser0) gid=521(usradmin) groups=521(usradmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[NewUser0@localhost ~]$ whoami
NewUser0
[NewUser0@localhost ~]$ sudo -l
[sudo] password for NewUser0:
Matching Defaults entries for NewUser0 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User NewUser0 may run the following commands on this host:
    (ALL) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /sbin/shutdown, /sbin/reboot, /usr/bin/passwd

[NewUser0@localhost ~]$ sudo useradd -c "R&D Users" NewUser7
[NewUser0@localhost ~]$ sudo passwd NewUser7
Changing password for user NewUser7.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[NewUser0@localhost ~]$ sudo useradd -c "R&D Users" NewUser8
[NewUser0@localhost ~]$ sudo passwd NewUser8
Changing password for user NewUser8.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[NewUser0@localhost ~]$ sudo useradd -c "R&D Users" NewUser9
[NewUser0@localhost ~]$ sudo passwd NewUser9
Changing password for user NewUser9.
New password:
Retype new password:

passwd: all authentication tokens updated successfully.


Hope I had discussed most of the possibility, case of have SUDO users, SUDO groups with different combinations.  Here I had tested on the Linux environment, firmly believe that the same would work on Solaris environment too as the concepts, syntax remains same. 

Please pass your comments, queries on the space provided.

1 comment:

  1. Amazing article. Your blog helped me to improve myself in many ways thanks for sharing this kind of wonderful informative blogs in live. I have bookmarked more article from this website. Such a nice blog you are providing ! Kindly Visit Us @ Best Travels in Madurai | Tours and Travels in Madurai | Madurai Travels

    ReplyDelete