User Tools

Site Tools


build:sudo

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:sudo [2014/02/20 15:37]
93.115.94.85 Not available at the moment http://coppermarketing.ca/buyzestoretic/ buy zestoretic Refer to Section 5.0 on page 5.0.1, for a description of this segment.
build:sudo [2016/02/26 10:37]
Craig Buchek [Environment] Keep SSH_AUTH_SOCK, so ssh-agent will work.
Line 1: Line 1:
-Not available at the moment http://coppermarketing.ca/buyzestoreticbuy zestoretic ​ Refer to Section 5.0 on page 5.0.1for description ​of this segment+====== sudo ====== 
- + 
 +The ''​sudo''​ command allows a user to run a command as root, or some other user. 
 +It has several benefits over ''​su'':​ 
 +  * It can restrict who has access, and what commands they may run. 
 +  * It can be configured to not require a password in some situations. 
 +  * It can log commands that the user runs. 
 + 
 +This page documents the configuration of sudo for Debian 6.0. 
 +Previous versions of Debian did things quite a bit differently -- see versions of this page prior to 2012-01-28 for those details. 
 + 
 + 
 +===== Prerequisites ===== 
 + 
 +==== Root Password ==== 
 + 
 +We're going to configure sudo to require the root password in most cases. 
 +If you configured Debian during installation to not have a root password, be sure to add one: 
 + 
 +<code rootshell>​ 
 +passwd root  # NOTEInteractive! 
 +</code> 
 + 
 + 
 +==== Admin Users ==== 
 + 
 +Debian automatically creates a group named ''​sudo''​. 
 +The members of that group have sudo access (to run anything as root) granted by the default configuration. 
 + 
 +When installing Debian 6.0, the first user is added to the ''​sudo''​ group. 
 +Any other admin users will have to be added to that group. 
 +You can use one of these commands: 
 + 
 +<code rootshell>​ 
 +USERNAME='​admin_user'​ 
 +usermod --append --groups sudo $USERNAME 
 +</code> 
 + 
 +<code rootshell>​ 
 +USERNAME='​admin_user'​ 
 +adduser $USERNAME sudo 
 +</​code>​ 
 + 
 + 
 +===== Installation ===== 
 + 
 +It appears that Debian 6.0 will install sudo by default, if you don't specify a root password during installation,​ or if you select the Desktop task. 
 + 
 +Our installations of Debian typically do not include sudo by default, so we have to install it manually: 
 + 
 +<code rootshell>​ 
 +apt-get install sudo 
 +</code> 
 + 
 +Note that if you use LDAP for user accounts, you'll need to install ''​sudo-ldap''​ instead of ''​sudo''​. 
 + 
 + 
 +===== Configuration ===== 
 + 
 +==== Require Root Password ==== 
 + 
 +By default, sudo requires a user to type in their own password in order to run a command. 
 +For added security, we prefer to use a different password to run commands as root. 
 +This way, if a user password is compromised,​ the attacker cannot run commands as root without additional work. 
 + 
 +<code rootshell>​ 
 +cat > /​etc/​sudoers.d/​require_root_password << EOF 
 +# Require root password (instead of the user's own password). 
 +Defaults ​       rootpw 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​require_root_password 
 +visudo -c -f /​etc/​sudoers.d/​require_root_password 
 +</​code>​ 
 + 
 + 
 +==== Environment ==== 
 + 
 +The ''​sudo''​ command ensures that certain environment variables are not carried over, to prevent security problems. 
 +We need to tweak the set of environment variables a bit. 
 + 
 +<code rootshell>​ 
 +cat > /​etc/​sudoers.d/​environment << EOF 
 +# Set $HOME to the target user's home directory. Allows mysql clients to find root's $HOME/​.my.cnf config file automatically. 
 +Defaults ​       always_set_home 
 + 
 +# Reset all environment variables, except the ones we explicitly list. 
 +Defaults ​       env_reset 
 +Defaults ​       env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \ 
 +                           ​LS_COLORS COLORS INPUTRC TZ \ 
 +                           LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ 
 +                           ​LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ 
 +                           ​LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ 
 +                           ​SSH_AUTH_SOCK"​ 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​environment 
 +visudo -c -f /​etc/​sudoers.d/​environment 
 +</​code>​ 
 + 
 + 
 +==== Package Management ==== 
 + 
 +Since installing and updating software from standard repositories is a common admin task with low security risk, we'll allow it without requiring a password. 
 + 
 +<code rootshell>​ 
 +touch /​etc/​sudoers.d/​package_management 
 +cat > /​etc/​sudoers.d/​package_management << EOF 
 +# Admin users may install and update software packages without having to supply a password. 
 +Cmnd_Alias ​     PACKAGE_INFO ​   = /​usr/​bin/​apt-get install *, /​usr/​bin/​apt-get check, \ 
 +                                  /​usr/​bin/​apt-cache search *, /​usr/​bin/​apt-cache show *, /​usr/​bin/​apt-cache showpkg *, \ 
 +                                  /​usr/​bin/​aptitude search *, /​usr/​bin/​aptitude show *, /​usr/​bin/​aptitude changelog * 
 +Cmnd_Alias ​     PACKAGE_INSTALL = /​usr/​bin/​apt-get install *, \ 
 +                                  /​usr/​bin/​aptitude install *, /usr/bin/aptitude reinstall * 
 +Cmnd_Alias ​     PACKAGE_UPDATE ​ = /​usr/​bin/​apt-get update, /​usr/​bin/​apt-get upgrade, \ 
 +                                  /​usr/​bin/​aptitude update, /​usr/​bin/​aptitude safe-upgrade 
 +Cmnd_Alias ​     PACKAGE_CLEAN =   /​usr/​bin/​apt-get autoremove, /​usr/​bin/​apt-get clean, /​usr/​bin/​apt-get autoclean, \ 
 +                                  /​usr/​bin/​aptitude clean, /​usr/​bin/​aptitude autoclean 
 +%sudo           ALL = NOPASSWD: PACKAGE_INFO,​ PACKAGE_INSTALL,​ PACKAGE_UPDATE,​ PACKAGE_CLEAN 
 +EOF 
 +chmod 440 /​etc/​sudoers.d/​package_management 
 +visudo -c -f /​etc/​sudoers.d/​package_management 
 +</​code>​ 
 + 
 + 
 +===== Notes ===== 
 + 
 +  * Allowing ''​sudo''​ without a password should be limited as much as possible. Be sure that the commands cannot be used to make arbitrary changes to files or run arbitrary commands. 
 +  * Previous versions of Debian allowed users in the ''​sudo''​ group to use sudo to perform any command without a passwordThis is not a good security practiceOn those systemswe used different group (''​wheel''​) and set that group to be allowed to run any command with a password. 
 +  * Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like ''​vi'',​ unless you're willing to give access to ALL commands. 
 +  * You should always use ''​visudo''​ when editing the configuration files. This will prevent you from saving an invalid configuration file. For programmatically-written files, the ''​-c''​ option can be used. 
 +  * If you use sudo to create a new file within ''/​etc/​sudoers.d'',​ you'll get a warning message when changing the permissions on the file, when you try using sudo to change the permissions. 
 + 
 + 
 +===== TODO ===== 
 + 
 +  * Add some more limited commands for some users. 
 +  * Investigate the differences between the default set of environment variables and the ones we're using. 
 +  * Take some action if the visudo check of the configuration files fails
build/sudo.txt · Last modified: 2016/02/26 10:37 by Craig Buchek