Showing posts with label sudo. Show all posts
Showing posts with label sudo. Show all posts

Wednesday, June 28, 2017

how to Allow A Normal User To Run Commands As root Under Linux ?

You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).
If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:
USER HOSTNAME=COMMAND
Where,
      USER: Name of normal user
      HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
      COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify “” to indicate that the command may only be run without command line arguments.

How do I use sudo?

If there are multiple matching entries in /etc/sudoers, sudo uses the last one. Therefore, if you can execute any command with a password prompt, and you want to be able to execute a particular command without a password prompt, you need the exception last.
myusername ALL = (ALL) ALL
myusername ALL = (root) NOPASSWD: /path/to/my/program

Give user ravi access to halt/shutdown command and restart Apache web server. First, Login as root user. Use visudo command edit the config file:
# visudo
Append the following lines to file:
ravi localhost=/sbin/halt
ravi dbserver=/etc/init.d/apache restart
Save and close file . Now ravi user can restart Apache web server by typing the following command:
$ sudo /etc/init.d/apache restart
Output:
Password:
Restarting apache web server....
The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Sample outputs:
May 17 08:37:43 debian sudo:       ravi : TTY=pts/4 ; PWD=/home/ravi ; USER=root ; COMMAND=/etc/init.d/apache restart
If ravi want to shutdown computer he needs to type command:
$ sudo /sbin/halt
Output:
Password:
Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run.

Examples:

a) Allow admin to run various commands:
admin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user admin to run /sbin/halt without any password i.e. as root without authenticating himself:
admin ALL= NOPASSWD: /sbin/halt,/etc/init.d/mysqld
c) Allow user admin to run any command from /usr/bin directory on the system dev02:
admin dev02 = /usr/bin/*
Example:2
The following steps will help you achieve the desired output:
Create a new script file (replace dir.sh  with your desired script name):
vim ~/dir.sh
The script will be created in the user’s home directory
Add some commands that only a root or sudo user can execute like creating a folder at the root directory level:
mkdir /ravi
Note: Don’t add sudo to these commands. Save and exit (using :wq!)
Assign execute permissions to it using:
sudo chmod u+x dir.sh
Make changes so that this script doesn’t require a password.
Open the sudoers file:
sudo visudo
Add the following line at the end:
ravi ALL=(root) NOPASSWD: /home/ravi/dir.sh
Replace ravi with whatever your username is. Also make sure this is the last line. Save and exit.
Now when running the command add sudo before it like:
sudo ./dir.sh
This will run the commands inside the script file without asking for a password.




Friday, December 16, 2016

How to check sudo access available for a Normal user ?

Method 1:
sudo  -v

Example
deb@linuxforfreshers:~$ sudo  -v
Sorry, user deb may not run sudo on LINUXFORFRESHERS.

Method 2:
sudo -l This will list any sudo privileges you have.

Example:
deb@linuxforfreshers:~$ sudo -l
[sudo] password for deb:           
Sorry, user deb may not run sudo on LINUXFORFRESHERS.

Method 3:
If you are a root privileged user using following command u should get the which user has which sudo permissions
Syntax : sudo -l -U username

Example 1:
ram@linuxforfreshers:~$ sudo -l –U srini
User srini is not allowed to run sudo on LINUXFORFRESHERS.

Example 2:
ram@linuxforfreshers:~$ sudo -l -U ansible
Matching Defaults entries for ansible on LINUXFORFRESHERS:
    env_reset, pwfeedback, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ansible may run the following commands on LINUXFORFRESHERS:
    (ALL : ALL) NOPASSWD: ALL









Saturday, December 5, 2015

what is meant by sudo in linux ?

what is mean by sudo?


sudo  is a program for linux-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.

Who can execute ‘sudo’?

We can run ‘visudo‘ to add/remove the list of users who can execute ‘sudo‘


The sudo list looks like the below string, by default:

root ALL=(ALL) ALL


Granting sudo Access

In many situation, System Administrator, specially new to the field finds the string “root ALL=(ALL) ALL” as a template and grants unrestricted access to others which may be potentially very harmful.

Editing ‘visudo’ file to something like the below pattern may really be very dangerous, unless you believe all the listed users completely.

root ALL=(ALL) ALL
adam ALL=(ALL) ALL
tom ALL=(ALL) ALL
mark ALL=(ALL) ALL



Parameters of sudo

A properly configured ‘sudo‘ is very flexible and number of commands that needs to be run may be precisely configured.

The Syntax of configured ‘sudo‘ line is:

root       ALL        = (ALL)            ALL

Username  Machine name=(Effective user) command

The above Syntax can be divided into four parts:

    User_name: This is the name of ‘sudo‘ user.

    Machine_name: This is the host name, in which ‘sudo‘ command is valid. Useful when you have lots of host machines.

    (Effective_user): The ‘Effective user’ that are allowed to execute the commands. This column lets you allows users to execute System Commands.

    Command: command or a set of commands which user may run.


You have a user ‘tom‘ which is supposed to execute system command as user other than root.


tom ALL=(ALL) ALL


How to add some services to a particular user?

tom ALL=(ALL)  /usr/sbin/fdisk,/usr/sbin/useraddd,/usr/bin/passwd


How about executing a ‘sudo‘ command without entering password?

We can execute a ‘sudo‘ command without entering password by using ‘NOPASSWD‘ flag.

adm ALL=(ALL) NOPASSWD: ALL

adm ALL=(ALL) NOPASSWD: /usr/sbin/fdisk,/usr/sbin/useradd,/usr/bin/passwd



Friday, December 5, 2014

sudo command examples in linux



Using sudo command, an user can execute root only commands.

1. Set up sudo Environment in /etc/sudoers

You can provide sudo privilege to an individual user or a group by modifying /etc/sudoers.

sudo access to an user
To provide sudo access to an individual user, add the following line to the /etc/sudoers file.
ram   ALL=(ALL) ALL
In the above example:
  • ram: name of user to be allowed to use sudo
  • ALL : Allow sudo access from any terminal ( any machine ).
  • (ALL) : Allow sudo command to be executed as any user.
  • ALL : Allow all commands to be executed.
sudo access to a group
To provide sudo access to a group, add the following line to the /etc/sudoers file.
%programmers    ALL=(ALL) ALL
In the above example:
  • programmers : name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
  • ALL : Allow sudo access from any terminal ( any machine ).
  • (ALL) : Allow sudo command to be executed as any user.
  • ALL : Allow all commands to be executed.
Note: Ubuntu users are already familiar with sudo command, as you’ll use sudo apt-get install to install any package. On Ubuntu, sudo is already setup for your username as shown below. i.e All users who belong to admin group has access to execute root commands using sudo.
$ sudo cat /etc/sudoers
%admin ALL=(ALL) ALL

$ grep admin /etc/group
admin:x:115:sathiya

2. Executing a command as super user

Once the sudo access is provided to your account in /etc/sudoers, you can pass any root command as an argument to the sudo command. For example, mount can only be done by root. But, a normal user can do mount as shown below using sudo.
$ sudo mount /dev/sda3 /mnt

Note: If you are executing sudo for the first time in a shell it will ask for the password ( current user password ) by default.

3. Forgot to Use Sudo in Vim? No Worries. Save file Trick in vim with sudo
When you have opened a file that can be saved only by root user using vim (without using the sudo command), you can do the following.
For example, if you want to edit the file /etc/group that can only be saved by root user, you typically do the following. When you do a :w, no problem, it will work, as it was opened using sudo command.
$ sudo vim /etc/group
:w
What if you’ve forgot to give sudo when you’ve opened the /etc/group file as shown below? In this case, instead of coming out of the file (and loosing all your changes) and executing the vim command with sudo, you can do the following.
$ vim /etc/group

:w !sudo tee %

Note: “:w !sudo tee %” will save the file as root privilege, even if you didn’t use sudo command to open it.

4. Forgot to give sudo for root command? Do it again using !!

If you’ve forgot to give sudo for a command that requires root privilege, instead of typing the command with sudo again, you can simply do sudo !! as shown below.
$ head -n 4 /etc/sudoers
head: cannot open `/etc/sudoers' for reading: Permission denied

$ sudo !!
sudo head -n 4 /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#

5. Get Root Shell Access using Sudo

To get a root shell from your user account, do the following.
$ sudo bash
Once you get the root shell, you can execute any root command without having to enter sudo in front of it every time.

6. Built in commands won’t work with Sudo – Command not found

sudo invokes an executable as the another user, so bash built in commands won’t work. It will give “sudo command not found” error as shown below.

For example, umask is a bash built-in command, which will not work when used along with sudo as shown below.
$ sudo umask
sudo: umask: command not found

Work-around: To use bash shell built-in command in sudo, first get the root shell, by doing ‘sudo bash’ and then execute the shell built in command.

7. View Unauthorized Sudo command executions from auth.log

When an user who doesn’t have sudo permission, tries to execute sudo command, they’ll get following error message.
$ sudo ls /
[sudo] password for test:
raj is not in the sudoers file.  This incident will be reported.
Anytime this happens, it will be logged in the /var/log/auth.log file for sysadmins to view any unauthorized sudo access.
Sep 25 18:41:35 ramsudo:   raj : user NOT in sudoers ; TTY=pts/4 ; PWD=/home/ra

 Reference : http://www.thegeekstuff.com/2010/09/sudo-command-examples/