Search This Blog

Wednesday, 13 July 2011

UNIX sudo guide for setting up restricted access for user accounts

another thing i was looking to setup quickly but couldn’t find anyone else with examples on the web was restricted sudo access. The below links are good examples of sudo however don’t seem to think about the implications of allowing users to have access to the passwd command. If your wondering what sudo is click here!

Most people who know sudo know the usual ALL=(ALL) ALL in the sudoers file. Its actually possible to give restricted sudo access to commands based on user / group / server information. I have implemented it specifically for a technical ops kind of role which enables them to do basic tasks but does not give them full system access. The below implementation was done using ixSudo (A.16.00-1.7.4p6.001) on HPUXv3 however this should work on most sudo implementations. If anyone knows what versions it does / doesn’t work on feel free to contact me on your experiences!

Step 1. Install Sudo

To install sudo on HPUX:
  • download the sudo package from http://software.hp.com
  • swinstall -s /pathtodepot/sudodepot.depot
To install sudo on Linux or other UNIX:
  • apt-get install sudo or yum install sudo depending on your flavor (linux)
  • rpm -ivh /pathtorpm/sudopackage.pm (linux)
  • pkgadd -d sudo (solaris)
  • untar source, ./configure, make, make install

Step 2. Configure Sudo

On this version of sudo the sudoers file is located at: /opt/iexpress/sudo/etc/sudoers
Most sudoers file location is either: /etc/sudoers or /usr/local/etc/sudoers
You need to edit / vi the configuration and add the following config. Just a brief overview what is configured:
  • user accounts (in the /etc/passwd file) are user1, user2, user3, user4 and leea
  • a few command alias groups are configured which enables you to give users access to groups of commands (say you wanted to give uses access to printing functions, account management, etc)
  • the NOPASSWD: line allows those commands to be executed without users having to supply their password
  • the !/command denies the user the ability to run as root. for example you may want a user to be able to reset accounts but not change the root password. this is important since if not setup correctly you essentially are giving them root access!!!!
User_Alias    TECHOP = user1, user2, user3, user4, leea

Cmnd_Alias     PRINTING = /usr/bin/cancel, /usr/bin/enable, /usr/bin/disable,\
/usr/sbin/lpmove, /usr/sbin/accept, /usr/sbin/lpsched, /usr/sbin/lpshut
Cmnd_Alias     USERS = /usr/lbin/modprpw -k *, /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

Cmnd_Alias     TECHOP_CMD = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root,\
/usr/bin/crontab -l *, /usr/lbin/modprpw -x *,\
/usr/sbin/fuser, !/usr/sbin/fuser -k *,\
/usr/bin/find, !/usr/bin/find * -ok *, !/usr/bin/find * -exec *,\
!/usr/bin/find * -cpio *, !/usr/bin/find * -ncpio *,\
/usr/bin/file, /usr/bin/ls, /usr/bin/du -ks *, /opt/OV/bin/OpC/opcagt

root ALL=(ALL) ALL
TECHOP ALL=(root) NOPASSWD: /usr/bin/sudo -l
TECHOP ALL = (root) TECHOP_CMD,PRINTING, USERS

Step 3.Test Sudo

use #sudo -l to show what sudo commands are available to run under your account
hpuxserver:/home/leea# sudo -l
User leea may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/sudo -l
    (root) /usr/bin/passwd [A-z]*, !/usr/bin/passwd root, /usr/bin/crontab -l
    *, /usr/lbin/modprpw -x *, /usr/sbin/fuser, !/usr/sbin/fuser -k *,
    /usr/bin/find, !/usr/bin/find * -ok *, !/usr/bin/find * -exec *,
    !/usr/bin/find * -cpio *, !/usr/bin/find * -ncpio *, /usr/bin/file,
    /usr/bin/ls, /usr/bin/du -ks *, /opt/OV/bin/OpC/opcagt, (root)
    /usr/bin/cancel, /usr/bin/enable, /usr/bin/disable, /usr/sbin/lpmove,
    /usr/sbin/accept, /usr/sbin/lpsched, /usr/sbin/lpshut, (root)
    /usr/lbin/modprpw -k *, /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
below is an example of not using / using sudo (notice the permission issues when not using sudo)
hpuxserver:/home/leea# find /opt/ -mtime -1
/opt/hpsmh/data/htdocs/navfile.htm
find: cannot open /opt/hpsmh/tomcat/conf20
find: cannot open /opt/hpsmh/tomcat/conf22
find: cannot open /opt/hpsmh/tomcat/work
/opt/hpsmh/conf22/php.ini
/opt/hpsmh/conf22/mod_proxy.conf
/opt/hpsmh/conf22/smhpd.conf
/opt/hpsmh/conf22/hmmolist.map
find: cannot open /opt/sfm/bin
/opt/hpws22/apache/logs
find: cannot open /opt/hpws22/webmin/conf
find: cannot open /opt/hpws22/webmin/logs
find: cannot open /opt/hpws22/webmin/newconfig/opt
/opt/fcms/debug
find: cannot search /opt/ssh/src
find: cannot open /opt/uxprov/bin
find: cannot open /opt/swa/mx
find: cannot open /opt/swa/mxhelp
find: cannot open /opt/hpwebadmin
/opt/hpservices/cfg
/opt/hpservices/cfg/cfg2html.sh.out
/opt/hpservices/cfg/hpuxserver.html
/opt/iexpress/sudo/etc/sudoers
hpuxserver:/home/leea#

hpuxserver:/home/leea# sudo find /opt/ -mtime -1
sudo: /var/adm owned by uid 4, should be uid 0

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Last successful login:       Tue Jul 12 15:52:30 EST 2011
Last authentication failure: Mon Jul 11 11:40:48 EST 2011 10.10.10.10
/opt/hpsmh/data/htdocs/navfile.htm
/opt/hpsmh/conf22/php.ini
/opt/hpsmh/conf22/mod_proxy.conf
/opt/hpsmh/conf22/smhpd.conf
/opt/hpsmh/conf22/hmmolist.map
/opt/hpws22/apache/logs
/opt/fcms/debug
/opt/hpservices/cfg
/opt/hpservices/cfg/cfg2html.sh.out
/opt/hpservices/cfg/hpuxserver.html
/opt/iexpress/sudo/etc/sudoers
hpuxserver:/home/leea#

No comments:

Post a comment