Skip to content

91a.User_Management_Part_3.md

Latest commit

 

History

History
217 lines (154 loc) · 5.53 KB

91a.User_Management_Part_3.md

File metadata and controls

217 lines (154 loc) · 5.53 KB

Case Study: Managing User Privileges with sudo and the sudoers File

Background: In a Linux system, managing user privileges is essential for ensuring security and proper system administration. The sudo command allows users to execute commands with elevated privileges, such as root access, without granting full root access. The sudoers file, located in /etc/sudoers, is where system administrators define and control which users can execute specific commands with sudo.

1. The sudo Command:

Scenario: As a regular user, you need to add a new user to the system. Since adding users requires administrative privileges, you would use the sudo command to execute the adduser command with root access.

Example:

$ sudo adduser new_user

To run a command as a user other than root, use the -u option:

$ sudo -u username command

This gives administrators fine-grained control over who can execute which commands and as which user.

2. The sudoers File:

Scenario: As an administrator, you need to control which users have sudo access and what commands they can execute. The sudoers file is where these configurations are made.

Steps:

  • View the file's permissions: 
    $ ls -l /etc/sudoers
-r--r----- 1 root root 755 Jan 18 2018 /etc/sudoers
  • Edit the file using visudo for safety, as it prevents syntax errors.

Sample Configuration:

# Root can execute any command
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Members of the sudo group may execute any command
%sudo ALL=(ALL:ALL) ALL

3. Checking Allowed Commands for a User:

Scenario: You need to check what commands the user durgasoft is allowed to run with sudo.

Steps:

  1. List commands for the current user: 
    $ sudo -l
  2. List commands for a specific user: 
    $ sudo -l -u durga1

Case Study: Managing User Privileges and Security with sudo and sudoers

Background: In a mid-sized organization, a Linux-based server is shared by multiple teams. Each team has specific administrative requirements, but unrestricted root access cannot be granted for security reasons. To ensure proper privilege management, the system administrator must use the sudo command and configure the sudoers file for fine-grained access control.

Scenario: Role-Based Access Control

Objective:

  • Enable Team A to install and update software.
  • Allow Team B to manage network configurations.
  • Restrict general users from accessing sensitive commands.
  • Ensure all actions performed with sudo are logged for auditing purposes.

Step 1: Configuring User Groups

First, create user groups for Team A and Team B to streamline privilege assignments.

# Create groups for each team
$ sudo groupadd team_a
$ sudo groupadd team_b

# Add users to respective groups
$ sudo usermod -aG team_a user1
$ sudo usermod -aG team_b user2

Step 2: Editing the sudoers File

Use the visudo command to safely edit the /etc/sudoers file and define custom privileges.

$ sudo visudo

Add the following rules:

# Allow Team A to run package management commands
%team_a ALL=(ALL) /usr/bin/apt-get, /usr/bin/yum

# Allow Team B to manage network settings
%team_b ALL=(ALL) /sbin/ifconfig, /sbin/ip

# Prevent all users from editing the sudoers file directly
ALL ALL=(ALL) !/bin/vi /etc/sudoers

Step 3: Verifying the Configuration

For Team A:

  1. Check if a user from Team A can install software:

    $ sudo apt-get install nano

  2. Attempt to execute a restricted command:

    $ sudo passwd root

    Expected Result: Access denied.

For Team B:

  1. Verify network configuration access:

    $ sudo ifconfig

  2. Test a restricted command:

    $ sudo apt-get update

    Expected Result: Access denied.

Step 4: Auditing sudo Usage

To monitor actions performed with sudo, check the system log file.

# View the sudo log entries
$ sudo tail -f /var/log/auth.log

Sample Output:

Jan 14 10:15:00 server1 sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/bin/apt-get install nano
Jan 14 10:20:00 server1 sudo: user2 : TTY=pts/0 ; PWD=/home/user2 ; USER=root ; COMMAND=/sbin/ifconfig

Step 5: Using Advanced Features of sudo

Allow Passwordless Commands:

Some users need frequent access to specific commands without typing a password each time.

# Add this rule to the sudoers file for Team B
%team_b ALL=(ALL) NOPASSWD: /sbin/ifconfig

Restrict Time-Based Access:

Allow Team A access only during business hours (e.g., 9 AM to 6 PM).

# Add this rule to the sudoers file
%team_a ALL=(ALL) ALL :!/(ALL) ALL, !time=9:00-18:00

Step 6: Testing and Maintenance

  1. Test all configurations:

    $ sudo -l

  2. Remove a user from a group if privileges are no longer needed:

    $ sudo gpasswd -d user1 team_a

  3. Backup the sudoers file:

    $ sudo cp /etc/sudoers /etc/sudoers.bak

Conclusion:

By leveraging the sudo command and configuring the sudoers file effectively, the administrator achieved:

  • Role-based access control for different teams.
  • Prevention of unauthorized access to critical commands.
  • Enhanced security through detailed auditing and logging of actions.