Friday, September 1, 2017

4 - Linux Security : sudo / sudoers / visudo


In this exercise a Linux Debian server is used:

1 - Introduction

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.

- It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser. 

- However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as "substitute user do".

Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user. 

- After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command. 

- The configuration file sudoers offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.

- Installing sudo (in case it is not already installed by default):

- Properties of sudo:

- visudo is a command-line utility that allows editing the configuration file sudoers in a fail-safe manner. 

- It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.

- In my Debian system visudo opens nano editor by default, but it could be changed to another preferred editor:

2 - Editing "sudoers" for users

- Editing sudoers and adding a configuration line for the user roch:

- If sudo is not used roch cannot perform the apt-get update command:

- However, now with the new line added to the file sudoers, the command sudo allows roch to update the system:

- Adding another line for the user johndoe. For instance in this example johndoe will be allowed to reload the Apache server:

- Going to the johndoe user account:

- When trying to reload Apache without sudo it fails:

- Using sudo it works:

3 - Editing "sudoers" for groups

- Creating the group team:


- Adding the user johndoe to the group team:

- Checking that the group team has been correctly created:

- Editing sudoers, let's add a line for the group team, allowing its members to update the system without using any password (NOPASSWD option):

- Going back to jonhdoe (member of the group team):

- Not allowed updating without sudo:

- However updating is successful for johndoe with sudo:

4 - Editing "sudoers" for alias

- Editing sudoers and i) creating the group alias TEAMER ,  ii) adding johndoe:

- Adding the command alias ON_OFF for both reboot and shutdown commands:

- Assigning ON_OFF to TEAMER:

- Going back to johndoe:

- Now johndoe can reboot the system successfully:

5 - Checking sudo configurations for users

- The sudo command with options (-l = list, -U = users) allows to consult the list of allowed/forbidden command for each user:

- Let's see some examples, like users root and johndoe who are part of the sudoers file: 

- If the user is not part of the sudoers file, like marie: