Your IP...


Monday, May 31, 2010

Configure Basic SUDO privileges.

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file

main configuration file is /etc/sudoers

My Lab
Non root user "test"
password "123456"

cat /etc/passwd |grep test
test:x:503:504::/home/test:/bin/bash

Here I'll enable access to "test" user to use sudo privileges.
You need to edit this file using special command,
1 [root@redhat ~]# visudo

2 Find entry called,
## Allow root to run any commands anywhere
root ALL=(ALL) ALL

After the root entry put your user name here, Like this
test redhat=(ALL) ALL

Save and quit.

Note :- redhat mean your hostname

Note :- You can edit this file using vi (Like "vi /etc/sudoers") But after you edit and if there any misconfiguration it won't show you. But if you use "visudo" then if there any error when you close file it will show you the error.
Example: I put my entry like this "test redhat=(ALL) AL". Then it's will gave me a error message like this,

Warning: undeclared Cmnd_Alias `AL' referenced near line 72

So this is easy to understand where you need to edit file.

OK. now we configured "test" user to sudo privileges.

3 Loggin as a test user
[root@redhat ~]# su test
[test@redhat root]$

Now we try to find out user permission for the /var/log/message log file
[test@redhat root]$ tail /var/log/messages
tail: cannot open `/var/log/messages' for reading: Permission denied

It's says permission denied.

4 Then use sudo privileges and try
[test@redhat root]$ sudo tail /var/log/messages

Its will give you this kind of security warning message.

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

5 Type password for user test. In my case 123456

Then it will show the message log as follows,
May 31 06:34:32 redhat smartd[2321]: smartd has fork()ed into background mode. New PID=2321.
May 31 06:34:32 redhat init: open(/dev/pts/0): No such file or directory
May 31 06:34:33 redhat pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
May 31 06:34:33 redhat last message repeated 3 times

Now we already enabled basic sudo privileges to user test

If your not sudo user,
I added user called test2 and test2 is not sudo user.

[test2@redhat root]$ sudo tail /var/log/messages

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
test2 is not in the sudoers file. This incident will be reported.

Even if test2 provide his password it's give error like this and it's says test2 is not include in sudo file.

You can find this incident under /var/log/secure

[root@redhat ~]# tail /var/log/secure

May 31 06:55:39 rhce sudo: test2 : user NOT in sudoers ; TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/tail /var/log/messages
May 31 06:56:56 rhce su: pam_unix(su:session): session closed for user test2

As you can see above test2 is not sudo privilege user and this incident already tracked under secure log file.




No comments:

More about linux