SUDO COMMAND
The
sudo command offers another approach
to giving users administrative access. When trusted users precede an
administrative command with sudo, they are prompted for their own password. Then, when they
have been authenticated and assuming that the command is permitted, the
administrative command is executed as if they were the root user.
The basic format of the sudo
command is as follows:
# sudo
command
In the above example, command would be replaced by a
command normally reserved for the root user, such as mount.
The sudo command
allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo command
and the command is executed in the
user's shell, not a root shell.
Each successful
authentication using the sudo command is logged to the file /var/log/messages
and the command issued
along with the issuer's user name is logged to the file /var/log/secure.
If additional logging is required, use the pam_tty_audit module to
enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth
file:
session required
pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated
listing of users with an optional use of globs. For example, the following
configuration will enable TTY auditing for the root user and disable it
for all other users:
session required pam_tty_audit.so
disable=* enable=root
Administrators wanting
to edit the sudo configuration file, /etc/sudoers, should use the
Visudo
command.
To give someone full
administrative privileges, type visudo and add a line.
This example states that
the user, deny, can use sudo from any host and execute any
command.
The example below
illustrates the granularity possible when configuring sudo:
This example states that
any member of the users system group can issue the command
/sbin/shutdown
-h now as long as it is issued from the console.
RISKS TO KEEP IN MIND WHEN USING THE SUDO COMMAND
There
are several potential risks to keep in mind when using the sudo command.
You can avoid them by editing the /etc/sudoers configuration file using visudo
as described above. Leaving the /etc/sudoers file in its default
state gives every user in the wheel group unlimited root access.
By default, sudo stores
the password for a five minute timeout period. Any subsequent uses of the
command during this period will not prompt the user for a password. This could
be exploited by an attacker if the user leaves his workstation unattended and
unlocked while still being logged in. This behavior can be changed by adding
the following line to the /etc/sudoers file: where value is the desired timeout length
in minutes. Setting the value to
0 causes sudo to require a password every time. If an account is
compromised, an attacker can use sudo to open a new shell with dministrative
privileges: sudo /bin/bash Opening a new shell as root in this or
similar fashion gives the attacker administrative access for a theoretically
unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers
file and never requiring the attacker to input a password for sudo again
until the newly opened session is closed.
No comments:
Post a Comment