User Tools

Site Tools


build:sudo

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Last revision Both sides next revision
build:sudo [2014/02/20 15:37]
93.115.94.85 Not available at the moment http://coppermarketing.ca/buyzestoretic/ buy zestoretic Refer to Section 5.0 on page 5.0.1, for a description of this segment.
build:sudo [2014/02/20 15:58]
127.0.0.1 external edit
Line 1: Line 1:
-Not available at the moment http://coppermarketing.ca/buyzestoreticbuy zestoretic ​ Refer to Section 5.0 on page 5.0.1for description ​of this segment+====== sudo ====== 
- + 
 +The ''​sudo''​ command allows a user to run a command as root, or some other user. 
 +It has several benefits over ''​su'':​ 
 +  * It can restrict who has access, and what commands they may run. 
 +  * It can be configured to not require a password in some situations. 
 +  * It can log commands that the user runs. 
 + 
 +This page documents the configuration of sudo for Debian 6.0. 
 +Previous versions of Debian did things quite a bit differently -- see versions of this page prior to 2012-01-28 for those details. 
 + 
 + 
 +===== Prerequisites ===== 
 + 
 +==== Root Password ==== 
 + 
 +We're going to configure sudo to require the root password in most cases. 
 +If you configured Debian during installation to not have a root password, be sure to add one: 
 + 
 +<code rootshell>​ 
 +passwd root  # NOTEInteractive! 
 +</code> 
 + 
 + 
 +==== Admin Users ==== 
 + 
 +Debian automatically creates a group named ''​sudo''​. 
 +The members of that group have sudo access (to run anything as root) granted by the default configuration. 
 + 
 +When installing Debian 6.0, the first user is added to the ''​sudo''​ group. 
 +Any other admin users will have to be added to that group. 
 +You can use one of these commands: 
 + 
 +<code rootshell>​ 
 +USERNAME='​admin_user'​ 
 +usermod --append --groups sudo $USERNAME 
 +</code> 
 + 
 +<code rootshell>​ 
 +USERNAME='​admin_user'​ 
 +adduser $USERNAME sudo 
 +</​code>​ 
 + 
 + 
 +===== Installation ===== 
 + 
 +It appears that Debian 6.0 will install sudo by default, if you don't specify a root password during installation,​ or if you select the Desktop task. 
 + 
 +Our installations of Debian typically do not include sudo by default, so we have to install it manually: 
 + 
 +<code rootshell>​ 
 +apt-get install sudo 
 +</code> 
 + 
 +Note that if you use LDAP for user accounts, you'll need to install ''​sudo-ldap''​ instead of ''​sudo''​. 
 + 
 + 
 +===== Configuration ===== 
 + 
 +==== Require Root Password ==== 
 + 
 +By default, sudo requires a user to type in their own password in order to run a command. 
 +For added security, we prefer to use a different password to run commands as root. 
 +This way, if a user password is compromised,​ the attacker cannot run commands as root without additional work. 
 + 
 +<code rootshell>​ 
 +cat > /​etc/​sudoers.d/​require_root_password << EOF 
 +# Require root password (instead of the user's own password). 
 +Defaults ​       rootpw 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​require_root_password 
 +visudo -c -f /​etc/​sudoers.d/​require_root_password 
 +</​code>​ 
 + 
 + 
 +==== Environment ==== 
 + 
 +The ''​sudo''​ command ensures that certain environment variables are not carried over, to prevent security problems. 
 +We need to tweak the set of environment variables a bit. 
 + 
 +<code rootshell>​ 
 +cat > /​etc/​sudoers.d/​environment << EOF 
 +# Set $HOME to the target user's home directory. Allows mysql clients to find root's $HOME/​.my.cnf config file automatically. 
 +Defaults ​       always_set_home 
 + 
 +# Reset all environment variables, except the ones we explicitly list. 
 +Defaults ​       env_reset 
 +Defaults ​       env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \ 
 +                           ​LS_COLORS COLORS INPUTRC TZ \ 
 +                           LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ 
 +                           ​LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ 
 +                           ​LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS"​ 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​environment 
 +visudo -c -f /​etc/​sudoers.d/​environment 
 +</​code>​ 
 + 
 + 
 +==== Package Management ==== 
 + 
 +Since installing and updating software from standard repositories is a common admin task with low security risk, we'll allow it without requiring a password. 
 + 
 +<code rootshell>​ 
 +touch /​etc/​sudoers.d/​package_management 
 +cat > /​etc/​sudoers.d/​package_management << EOF 
 +# Admin users may install and update software packages without having to supply a password. 
 +Cmnd_Alias ​     PACKAGE_INFO ​   = /​usr/​bin/​apt-get install *, /​usr/​bin/​apt-get check, \ 
 +                                  /​usr/​bin/​apt-cache search *, /​usr/​bin/​apt-cache show *, /​usr/​bin/​apt-cache showpkg *, \ 
 +                                  /​usr/​bin/​aptitude search *, /​usr/​bin/​aptitude show *, /​usr/​bin/​aptitude changelog * 
 +Cmnd_Alias ​     PACKAGE_INSTALL = /​usr/​bin/​apt-get install *, \ 
 +                                  /​usr/​bin/​aptitude install *, /usr/bin/aptitude reinstall * 
 +Cmnd_Alias ​     PACKAGE_UPDATE ​ = /​usr/​bin/​apt-get update, /​usr/​bin/​apt-get upgrade, \ 
 +                                  /​usr/​bin/​aptitude update, /​usr/​bin/​aptitude safe-upgrade 
 +Cmnd_Alias ​     PACKAGE_CLEAN =   /​usr/​bin/​apt-get autoremove, /​usr/​bin/​apt-get clean, /​usr/​bin/​apt-get autoclean, \ 
 +                                  /​usr/​bin/​aptitude clean, /​usr/​bin/​aptitude autoclean 
 +%sudo           ALL = NOPASSWD: PACKAGE_INFO,​ PACKAGE_INSTALL,​ PACKAGE_UPDATE,​ PACKAGE_CLEAN 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​package_management 
 +visudo -c -f /​etc/​sudoers.d/​package_management 
 +</​code>​ 
 + 
 + 
 +===== Notes ===== 
 + 
 +  * Allowing ''​sudo''​ without a password should be limited as much as possible. Be sure that the commands cannot be used to make arbitrary changes to files or run arbitrary commands. 
 +  * Previous versions of Debian allowed users in the ''​sudo''​ group to use sudo to perform any command without a passwordThis is not a good security practiceOn those systemswe used different group (''​wheel''​) and set that group to be allowed to run any command with a password. 
 +  * Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like ''​vi'',​ unless you're willing to give access to ALL commands. 
 +  * You should always use ''​visudo''​ when editing the configuration files. This will prevent you from saving an invalid configuration file. For programmatically-written files, the ''​-c''​ option can be used. 
 +  * If you use sudo to create a new file within ''/​etc/​sudoers.d'',​ you'll get a warning message when changing the permissions on the file, when you try using sudo to change the permissions. 
 + 
 + 
 +===== TODO ===== 
 + 
 +  * Add some more limited commands for some users. 
 +  * Investigate the differences between the default set of environment variables and the ones we're using. 
 +  * Take some action if the visudo check of the configuration files fails
build/sudo.txt · Last modified: 2016/02/26 10:37 by Craig Buchek