Giving ordinary users root privileges, selectively
Posted by Steve on Sat 16 Oct 2004 at 15:46
Many times on a multi-user system it would be nice to allow particular users to do things that require root privileges without having to give them the root password. There are several tools which will solve this problem, the most well known tool for this purpose is called sudo.
sudo is a portable application for giving users selectively increased permissions.
The Debian sudo package is available for all the releases and will setup a minimal configuration file when it is installed.
sudo is configured entirely through the file /etc/sudoers. This file controls the commands which users are allowed to run.
Whilst the program is flexiable enough to allow users to be given the ability to run commands as any local user it is typically used to give root privileges for commands.
This is the default sudoers configuration:
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL
The configuration is blank here, the last line being the only one which isn't a comment.
(The last line basically says that the root user can run any command).
To give a local user the ability to shut down a computer you would need to add two sections. One to define the shutdown command which you wished the user to be able to execute - the second to define the user(s) which could run this command.
First in the command section we define a new alias which represents the shutdown command:
# Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/shutdown
Then in the users section we will define a user who will be able to execute this command:
skx ALL = SHUTDOWN
This says that the user "skx" on the machine "ALL" (ie. this machine) can run the command defined as SHUTDOWN.
This user can now shutdown the machine by running:
skx@lappy:~$ sudo shutdown -h now
The sudo program will prompt the user for their own password, not root's, and then execute the command. The command will be logged via syslog.
If you wish you can setup sudo so that users don't even need to enter their own password, by using "NOPASSWD:" as follows:
skx ALL = NOPASSWD: SHUTDOWN
As you can see "ALL" is defined for us, here we see it as representing all hostnames, but you can also use it to define all commands.
The following setting will allow the local user skx to run any command as root - this is very very permissive and is equivilent to allowing them to have root privileges.
skx ALL = ALL
In a group setting you might want to define a group of people who are able to perform some administration without knowing the root password. This can be achieved by defining a group:
# User alias specification User_Alias ADMINS = skx,bob,chris # Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/shutdown Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg # full time sysadmins can run updates and shutdown the machine. ADMINS ALL = APT, SHUTDOWN
This example shows that three users, skx, bob, and chris, can update the machine using either apt or dpkg, and shutdown the machine. Any of these operations can be conducted without having the root password.
Note allowing users to run apt and dpkg is equivilent to giving a user root privileges, as packages can be installed which will subvert the system.
Even in a single user system sudo is worth using, the following settings, for example, will allow you to run any command as root - without having to use su or constantly type in your root password:
# User alias specification User_Alias OWNER = skx # User privilege specification OWNER ALL= NOPASSWD: ALL
No more needing to use the root password, and full command logging via syslog.
You create an entry in /etc/sudoers like:
trusted_user host_or_ALL = /bin/rootsh
Your user now types "sudo rootsh" and will find himself in a root shell, as if he typed "su -" or "sudo -s". The advantage is, everything he types will be sent to syslog. So if he breaks something and denies it, you show him the logfiles from your syslog server. Believe me, you can avoid a lot of quarrels this way.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
New to all of this so do bear with me.
If it is a bad idea to allow root access to ssh (which I read about and so deny on my server) and then allow my user to have access to all of the things root can do through sudo, this means that someone only needs access to my account, and to know to type sudo, and they have full root access to my machine.
If you use su root instead; this would mean someone would have to have access to not only my account, but the root password too to perform any dangerous ops.
I know the world is not perfect and if you have many users on a machine, you don't want them to have the root password and sudo seems a good way to set up permissions; but seen as I am the only administrator; it is not better to have two layers of protection by forcing me to type in the root password instead of one?
Thoughts?
Cheers,
Paul
[ Parent | Reply to this comment ]
I host/will be hosting multiple domains but use virtual users for both ftp and email and have no need to give anyone shell access.
In this case; I am the single user/admin on the machine. To not use root and to get around the fact that sudo effectively makes me root on my machine (the way I have configured it), would anyone suggest creating a number of accounts with specific privileges in sudo then su'ing to each account to perform specific tasks?
That would mean someone would have to know an awful lot about my system to do anything bad, but is also a pain the ar$e when administering my system.
Too much hassle and the main aim is to keep my password safe so no one gets on my machine and continue allowing my user to be root? :)
Appreciate some feedback;
All the best
[ Parent | Reply to this comment ]
The "solution" is to make a few modifications ....
1. Set a root password
2. Edit /etc/passwd and change root 's shell from /bin/bash to /bin/false
3. Make sure your administrative user has full access to root via sudo.
4. Add, or modify, the line "Defaults" ; add rootpw (options are comma delineated)
Defaults !lecture,tty_tickets,!fqdn,insults,rootpw
You will now need to enter a root password for sudo access.
5. Specify user access as above, they will need to use the root password.
6. If you need a root shell, you will need to
sudo /bin/bash (and I advise you also source /root/.bashrc)
[ Parent | Reply to this comment ]
One thing; why turn off the shell from root? If only my admin user can ssh in to the system, would that not be adequate security? I have done step 4 onwards for now.
Cheers,
Paul
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]