Friday, August 19, 2016

How To Modify the Sudoers File

How To Modify the Sudoers File

You will be presented with the /etc/sudoers file in your selected text editor.

/etc/sudoers
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

root    ALL=(ALL:ALL) ALL

%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d
 
 
 
Let's take a look at what these lines do.
Code:
%admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get
To break it down:
  • %admin - All users of the admin group
  • ALL= - from any Host/IP
  • (ALL) - can run as any user
  • NOPASSWD - with no password required
  • :/usr/bin/apt-get - the list of comma, separated, applications.

User Privilege Lines

The fourth line, , which dictates the root user's sudo privileges, is different from the preceding lines. Let's take a look at what the different fields mean:
  • root ALL=(ALL:ALL) ALL
    The first field indicates the username that the rule will apply to (root).
  • demo ALL=(ALL:ALL) ALL
    The first "ALL" indicates that this rule applies to all hosts.
  • demo ALL=(ALL:ALL) ALL
    This "ALL" indicates that the root user can run commands as all users.
  • demo ALL=(ALL:ALL) ALL
    This "ALL" indicates that the root user can run commands as all groups.
  • demo ALL=(ALL:ALL) ALL
    The last "ALL" indicates these rules apply to all commands.
This means that our root user can run any command using sudo, as long as they provide their password.

Group Privilege Lines


- Names beginning with a "%" indicate group names.

How To Set Up Custom Rules

Now that we have gotten familiar with the general syntax of the file, let's create some new rules.

How To Create Aliases

The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:
/etc/sudoers
. . .
User_Alias      GROUPONE = abby, brent, carl
User_Alias      GROUPTWO = brent, doris, eric, 
User_Alias      GROUPTHREE = doris, felicia, grant
. . .
Group names must start with a capital letter. We can then allow members of GROUPTWO to update the apt database by creating a rule like this:
/etc/sudoers
. . .
GROUPTWO    ALL = /usr/bin/apt-get update
. . .
If we do not specify a user/group to run as, as above, sudo defaults to the root user.
We can allow members of GROUPTHREE to shutdown and reboot the machine by creating a "command alias" and using that in a rule for GROUPTHREE:
/etc/sudoers
. . .
Cmnd_Alias      POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE  ALL = POWER
. . .
We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create "Run as" aliases, which can replace the portion of the rule that specifies the user to execute the command as:
/etc/sudoers
. . .
Runas_Alias     WEB = www-data, apache
GROUPONE    ALL = (WEB) ALL
. . .
This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later rules will override earlier rules when there is a conflict between the two.

GROUPONE    ALL = NOPASSWD: /usr/bin/updatedb
. . .
NOPASSWD is a "tag" that means no password will be requested. It has a companion command called

> To find out just exactly what sudo permissions you have on your computer, you would run the following

 
# sudo -l
That is "sudo" and a lowercase L as the argument.

Code:
%admin jaunty=(ALL)NOPASSWD:/usr/bin/apt-get
So, as long as your hostname remains as 'jaunty', then you can run the sudo command from only your computer.

The second way is by using IP addresses.
Note: This requires for you to be connected to a network! Else you will be denied access
Code:
%admin 192.168.1.0/255.255.255.0=(ALL)NOPASSWD:/usr/bin/apt-get
192.168.1.0 is the IP of your local network.
255.255.255.0 is the subnet of your local network.

So, in this instance, you are restricting the use of sudo only to users with an IP address of 192.168.1.1 through to 192.168.1.254

Restricting User Switching
To run commands as another user (other than root), you would run the following:
sudo -u username command
To prevent this from happening, you can restrict it by using:
Code:
%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get
So now members of the admin group can only run the given commands without a password as root. Doesn't matter how hard they try otherwise.

Note: if a previous permission is set so the user can run the command as any user.
More specifically this line that is the default in Ubuntu:
Code:
%admin ALL=(ALL) ALL
Then they will have to provide their own password to continue.

A more secure method:
Code:
%admin ALL=(root) ALL
Where they will be instead denied if they try to run an application as another user.

Restricting Application Usage
As well, as limiting the applications a user can run using sudo, you can limit the arguments of those applications that the user can use also, for apps that do more than one job.

To limit apt-get usage to just 'update' and 'upgrade', we can have something like this:
Code:
%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade
And now everything other apt-get argument (install, remove, dist-upgrade) is denied!

Alternately, we can also use the glob match '*'.
Code:
%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get up*
The '*' match is very powerful, and can apply to anything in the command listing part of the configuration line, ie:
Code:
%admin jaunty=(root)NOPASSWD:/*/sbin/*
This could match anything from all the files in '/usr/sbin/' to '/usr/local/sbin/' and even places such as '/home/user/sbin/' fall into the match. As such, it is advised that you use it wisely.

Restricting use of sudo to Single Users
As well as specifying groups, we can hand out sudo permissions on a 'per-user' basis too. For example, to only allow the user 'iain' (me) to run 'apt-get update' and 'apt-get upgrade', we use the following:
Code:
iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade
Note: The difference between a user and a group. Groups have the '%' symbol prefixed against their name. So, to change this so only users in the group 'iain' can run 'apt-get', we simply add the '%' symbol:
Code:
%iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade
Restrict Applications
There is a hidden 5th that I forgot to mention. In some cases, you want to restrict the application once it has been given root powers.

ie: vim, less and some other similar applications can allow you to 'shell out' of the application and run commands using the ! operator, as an example:
Code:
:!aptitude
The risk? If given the permissions to running vim as root, you can carry out any administrative task on the system. Which isn't very good if you just want certain users to run vim as root, but not any other command.

For this, we have the NOEXEC option, with will prevent the command from shelling out.
Code:
%admin ALL=(root)NOEXEC:/usr/bin/vim
Although, bare in mind that for the majority of applications, this isn't the best option for usability, since programs such as 'apt-get' do indeed fork a shell to run applications such as dpkg and wget.

Host Alias Specification
Host aliases are declared as so, to use my hostname as an example:

Code:
Host_Alias HOST = jaunty
If I were to alias the local network:
Code:
Host_Alias LAN = 192.168.1.0/255.255.255.0
User Alias Specification

Code:
User_Alias FUSE_USERS = andy,ellz,matt,jamie
RunAs Alias Specification
The runas alias, are aliases for the users you can sudo as, via the 'sudo -u' command. Again, I won't go into this, but it works like so:
Code:
Runas_Alias USERS = root,andy,ellz,matt,jamie
And put in the following context:
Code:
%admin  ALL=(USERS) ALL
Members of the admin group can run any command as any of the users enlisted in USERS.

Command Alias Specification
And lastly, the command alias, as you may have guessed, are aliases for the command names. To skip any brief talk about them, lets first fufil what my original scenario intended.
Code:
Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE
Woah, that is alot. Infact, what I've done is split the applications into sub-groups, and shuffled those groups into one, MYPROGS.

Gelling it together
With the above in place, we can now write out lines such as this:
Code:
iain HOME=(root)NOPASSWD:MYPROGS
Which result in a much cleaner, easier to maintain configuration.

The Result
Put that all together, and we have something that looks like this:
Code:
Defaults    env_reset,tty_tickets

# Host alias specification
Host_Alias HOST = jaunty
Host_Alias LAN  = 192.168.1.0/255.255.255.0
Host_Alias HOME = HOST,LAN

# User alias specification

# Cmnd alias specification
Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin HOME=(root) ALL
%admin HOME=(root) NOEXEC:/usr/bin/vim
iain   HOME=(root) NOPASSWD:MYPROGS
 


Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)