How To Modify the Sudoers File

How To Modify the Sudoers File

You will be presented with the /etc/sudoers file in your selected text editor.

/etc/sudoers

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

root    ALL=(ALL:ALL) ALL

%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

Let's take a look at what these lines do.

Code:

%admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get

To break it down:

• %admin - All users of the admin group
• ALL= - from any Host/IP
• (ALL) - can run as any user
• NOPASSWD - with no password required
• :/usr/bin/apt-get - the list of comma, separated, applications.

User Privilege Lines

The fourth line, , which dictates the root user's sudo privileges, is different from the preceding lines. Let's take a look at what the different fields mean:

• root ALL=(ALL:ALL) ALL
  The first field indicates the username that the rule will apply to (root).
• demo ALL=(ALL:ALL) ALL
  The first "ALL" indicates that this rule applies to all hosts.
• demo ALL=(ALL:ALL) ALL
  This "ALL" indicates that the root user can run commands as all users.
• demo ALL=(ALL:ALL) ALL
  This "ALL" indicates that the root user can run commands as all groups.
• demo ALL=(ALL:ALL) ALL
  The last "ALL" indicates these rules apply to all commands.

This means that our root user can run any command using sudo, as long as they provide their password.

Group Privilege Lines

- Names beginning with a "%" indicate group names.

How To Set Up Custom Rules

Now that we have gotten familiar with the general syntax of the file, let's create some new rules.

How To Create Aliases

The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:

/etc/sudoers

. . .
User_Alias      GROUPONE = abby, brent, carl
User_Alias      GROUPTWO = brent, doris, eric, 
User_Alias      GROUPTHREE = doris, felicia, grant
. . .

Group names must start with a capital letter. We can then allow members of GROUPTWO to update the apt database by creating a rule like this:

/etc/sudoers

. . .
GROUPTWO    ALL = /usr/bin/apt-get update
. . .

If we do not specify a user/group to run as, as above, sudo defaults to the root user.
We can allow members of GROUPTHREE to shutdown and reboot the machine by creating a "command alias" and using that in a rule for GROUPTHREE:

/etc/sudoers

. . .
Cmnd_Alias      POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE  ALL = POWER
. . .

We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create "Run as" aliases, which can replace the portion of the rule that specifies the user to execute the command as:

/etc/sudoers

. . .
Runas_Alias     WEB = www-data, apache
GROUPONE    ALL = (WEB) ALL
. . .

This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later rules will override earlier rules when there is a conflict between the two.

GROUPONE    ALL = NOPASSWD: /usr/bin/updatedb
. . .

NOPASSWD is a "tag" that means no password will be requested. It has a companion command called

> To find out just exactly what sudo permissions you have on your computer, you would run the following

 

# sudo -l

That is "sudo" and a lowercase L as the argument.

Code:

%admin jaunty=(ALL)NOPASSWD:/usr/bin/apt-get

So, as long as your hostname remains as 'jaunty', then you can run the sudo command from only your computer.

The second way is by using IP addresses.
Note: This requires for you to be connected to a network! Else you will be denied access

Code:

%admin 192.168.1.0/255.255.255.0=(ALL)NOPASSWD:/usr/bin/apt-get

192.168.1.0 is the IP of your local network.
255.255.255.0 is the subnet of your local network.

So, in this instance, you are restricting the use of sudo only to users with an IP address of 192.168.1.1 through to 192.168.1.254

Restricting User Switching
To run commands as another user (other than root), you would run the following:

sudo -u username command

To prevent this from happening, you can restrict it by using:

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get

So now members of the admin group can only run the given commands without a password as root. Doesn't matter how hard they try otherwise.

Note: if a previous permission is set so the user can run the command as any user.
More specifically this line that is the default in Ubuntu:

Code:

%admin ALL=(ALL) ALL

Then they will have to provide their own password to continue.

A more secure method:

Code:

%admin ALL=(root) ALL

Where they will be instead denied if they try to run an application as another user.

Restricting Application Usage
As well, as limiting the applications a user can run using sudo, you can limit the arguments of those applications that the user can use also, for apps that do more than one job.

To limit apt-get usage to just 'update' and 'upgrade', we can have something like this:

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

And now everything other apt-get argument (install, remove, dist-upgrade) is denied!

Alternately, we can also use the glob match '*'.

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get up*

The '*' match is very powerful, and can apply to anything in the command listing part of the configuration line, ie:

Code:

%admin jaunty=(root)NOPASSWD:/*/sbin/*

This could match anything from all the files in '/usr/sbin/' to '/usr/local/sbin/' and even places such as '/home/user/sbin/' fall into the match. As such, it is advised that you use it wisely.

Restricting use of sudo to Single Users
As well as specifying groups, we can hand out sudo permissions on a 'per-user' basis too. For example, to only allow the user 'iain' (me) to run 'apt-get update' and 'apt-get upgrade', we use the following:

Code:

iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

Note: The difference between a user and a group. Groups have the '%' symbol prefixed against their name. So, to change this so only users in the group 'iain' can run 'apt-get', we simply add the '%' symbol:

Code:

%iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

Restrict Applications
There is a hidden 5th that I forgot to mention. In some cases, you want to restrict the application once it has been given root powers.

ie: vim, less and some other similar applications can allow you to 'shell out' of the application and run commands using the ! operator, as an example:

Code:

:!aptitude

The risk? If given the permissions to running vim as root, you can carry out any administrative task on the system. Which isn't very good if you just want certain users to run vim as root, but not any other command.

For this, we have the NOEXEC option, with will prevent the command from shelling out.

Code:

%admin ALL=(root)NOEXEC:/usr/bin/vim

Although, bare in mind that for the majority of applications, this isn't the best option for usability, since programs such as 'apt-get' do indeed fork a shell to run applications such as dpkg and wget.

Host Alias Specification
Host aliases are declared as so, to use my hostname as an example:

Code:

Host_Alias HOST = jaunty

If I were to alias the local network:

Code:

Host_Alias LAN = 192.168.1.0/255.255.255.0

User Alias Specification

Code:

User_Alias FUSE_USERS = andy,ellz,matt,jamie

RunAs Alias Specification
The runas alias, are aliases for the users you can sudo as, via the 'sudo -u' command. Again, I won't go into this, but it works like so:

Code:

Runas_Alias USERS = root,andy,ellz,matt,jamie

And put in the following context:

Code:

%admin  ALL=(USERS) ALL

Members of the admin group can run any command as any of the users enlisted in USERS.

Command Alias Specification
And lastly, the command alias, as you may have guessed, are aliases for the command names. To skip any brief talk about them, lets first fufil what my original scenario intended.

Code:

Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

Woah, that is alot. Infact, what I've done is split the applications into sub-groups, and shuffled those groups into one, MYPROGS.

Gelling it together
With the above in place, we can now write out lines such as this:

Code:

iain HOME=(root)NOPASSWD:MYPROGS

Which result in a much cleaner, easier to maintain configuration.

The Result
Put that all together, and we have something that looks like this:

Code:

Defaults    env_reset,tty_tickets

# Host alias specification
Host_Alias HOST = jaunty
Host_Alias LAN  = 192.168.1.0/255.255.255.0
Host_Alias HOME = HOST,LAN

# User alias specification

# Cmnd alias specification
Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin HOME=(root) ALL
%admin HOME=(root) NOEXEC:/usr/bin/vim
iain   HOME=(root) NOPASSWD:MYPROGS

 

Find Files Based on Access / Modification / Change Time

The basic syntax of the find command is:

find path options

where path is the path to search and options are the options given to find command.

You can find files based on following three file time attribute.

• -amin  when the file was accessed in minutes
• -atime when the file was accessed in days
• -cmin when the file was created in minutes
• -ctime when the file was created in days
• -mmin when the file was modified in minutes

In all our below examples, the path is our current directory and hence we use .(dot).

1. To find files modified in the last 5 days:
find . -mtime -5  
2. To find files modified before 5 days:
find . -mtime +5

 Note: Developers, be aware. + is not default in find. If you omit the '+', it has a different meaning. It means to find files modified exactly before 5 days.

3. To find files modified in the last 40mins:
find . -mmin -40 

4. To find files modified before 40mins:
find . -mmin +40

 

The above commands will find both files and directories modifying the criteria. 

 

If you want to find only files, use the -type option.

find . -type f -mmin -40

 

This will find only the files modified in the last 40 mins, not directories.

 

5. Find files whose content got updated within last 1 hour

# find . -mmin -60
In the same way, following example finds all the files (under root file system /) that got updated within the last 24 hours (1 day).

# find / -mtime -1
Example 2: Find files which got accessed before 1 hour
# find -amin -60
 
In the same way, following example finds all the files (under root file system /) that got accessed within the last 24 hours (1 day).

# find / -atime -1
Example 3: Find files which got changed exactly before 1 hour
# find . -cmin -60
 
In the same way, following example finds all the files (under root file system /) that got changed within the last 24 hours (1 day).

# find / -ctime -1
Example 9: ls -l in find command output. Long list the files which are edited within the last 1 hour.
# find -mmin -60

How to scan new FC LUNS and SCSI disks in Linux ?

HOW TO ARTICLES- LINUX

How to scan new FC LUNS and  SCSI disks in Redhat Linux without rebooting the server?  Most of the Linux beginners have wondering how to do this and this article will be for them.It may look like very simple as we perform this in daily operation to scan luns but system has many work to do in background when you execute storage scanning commands. Redhat says this type of scan can be distributive,since it can cause delays while I/O operation timeout and remove devices unexpectedly from OS.So perform this scan when really you want to scan the disks and LUNS.

Scanning FC-LUN’s in Redhat Linux

1.First find out how many disks are visible in “fdisk -l” .

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

2.Find out how many host bus adapter configured in the Linux box.you can use “systool -fc_host -v” to verify available FC in the system.

# ls /sys/class/fc_host
host0  host1

In this case,you need to scan host0 & host1 HBA.


3.If the system virtual memory is too low ,then do not proceed further.If you have enough free virtual memory,then you can proceed with below command to scan new LUNS.

# echo "1" > /sys/class/fc_host/host0/issue_lip
# echo "- - -" > /sys/class/scsi_host/host0/scan
# echo "1" > /sys/class/fc_host/host1/issue_lip
# echo "- - -" > /sys/class/scsi_host/host1/scan

Note: You need to monitor the “issue_lip” in /var/log/messages to determine when the scan will complete.This operation is an asynchronous operation.

You can also use rescan-scsi-bus.sh script to detect new LUNS.

# yum install sg3_utils
# ./rescan-scsi-bus.sh

4.Verify if the new LUN is visible or not by counting the available disks.

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

If any new LUNS added ,then you can see more count is more then before scanning the LUNS.

Scanning SCSI DISKS in Redhat Linux

1.Finding the existing disk from fdisk.

[root@mylinz1 ~]# fdisk -l |egrep '^Disk' |egrep -v 'dm-'
Disk /dev/sda: 21.5 GB, 21474836480 bytes

2.Find out how many SCSI controller configured.

[root@mylinz1 ~]# ls /sys/class/scsi_host/host
host0 host1 host2

In this case,you need to scan host0,host1 & host2.

3.Scan the SCSI disks using below command.

[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host0/scan
[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host1/scan
[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host2/scan

4.Verify if the new disks are visible or not.

[root@mylinz1 ~]# fdisk -l |egrep '^Disk' |egrep -v 'dm-'
Disk /dev/sda: 21.5 GB, 21474836480 bytes
Disk /dev/sdb: 1073 MB, 1073741824 bytes
Disk /dev/sdc: 1073 MB, 1073741824 bytes

From Redhat Linux 5.4 onwards, redhat introduced “/usr/bin/rescan-scsi-bus.sh” script to scan all the SCSI bus and update the SCSI layer to reflect new devices.
But most of the time,script will not be able to scan new disks and you need go with echo command.
Do not forget to check out Redhat Enterprise Linux 7 Tutorial .