FreeOS.com logo
Pick a Free OS

FreeOS Most Popular
* Most Read stories
* Commented Stories
* Active Categories
* Non Linux Section
* User Submitters
* Top Polls
* Top Authors
* Top Reviews
* Top Rated
* Top Search Terms

Top Articles
* Writing a Linux device driver
* The Linux filesystem explained
* Samba NT Domain Controller
* Setting up Squid as your caching HTTP/FTP proxy
* Web server tutorial - Part 1

FreeOS Highlights
* Howtos (72)
* Reviews (20)
* Opinions (18)
* Interviews (8)
* News (3)

My FreeOS

Nick:
Pass:
Register

Forgot your password?

Contact Us
Contact Us

       

Project: FreeOS triangle Howtos triangle

Psudo root!

By Chandrashekhar Bhosle <cnb@freeos.com>
Posted: ( 2001-03-14 07:57:04 EST by Mayank Sarup )
If you wonder about safely allowing a user to run a program on your Unix box requiring root privileges and feel uneasy about options like sharing the root password or using setuid bits then sudo is the program for you.

A common problem faced is allowing non root users to dial and establish a connection to the Internet.

An easy and safe solution with sudo, assuming you use wvdial, is to put the following line in /etc/sudoers. (syntax explained later)

ALL ALL=/usr/bin/wvdial

This allows any user to run the program wvdial with root privileges when the user runs sudo as

sudo wvdial

Note: sudo issues a password prompt where the password to be entered is that of the user running sudo.

How does sudo make handing out root privileges more secure?

sudo is more secure than other options because of the following reasons.


  • The user does not need to know the root password.
  • The superuser can specify the programs a user is allowed to run and also specify the parameters to be supplied to the program.
  • The superuser can set resource limitations on the command being executed.
  • The superuser can specify the shell the program should run under.
  • If an unauthorized user attempts a command via sudo, the superuser will receive automatic notification via email.
  • sudo logs all activity.
  • /etc/sudoers file can contain dozens of options to fine tune restrictions.

Working


Sudo works in the following manner. When invoked, it matches the real and effective uid and gid of the target user and (by default) prompts them to authenticate themselves using their own password. On authentication, it sets a timestamp, which allows the user to run sudo within a time period of 5 minutes (configurable) without needing to authenticate themselves again.

To run sudo, the user must be listed in the file /etc/sudoers. If the user isn't listed in /etc/sudoers and attempts to run sudo, an email is automatically sent by sudo to the superuser. The users should ideally do a "sudo -l" to see whether they are allowed to run any commands on the host to avoid ticking off their system administrator.

Some other useful flags to sudo would be


-h to show a help screen
-b to run the program in the background
-u to run a program as a user other than root (Usage: sudo -u foo)

The /etc/sudoers file


The /etc/sudoers file is where you set the users as well as the programs they are allowed to run using sudo. It must only be edited using visudo(8) and ideally with the -s flag, which does strict syntax checking (sudo will not run if the /etc/sudoers contains errors) and also locks the file against multiple access. visudo does not require vi. An alternate editor can be set using the $EDITOR or the $VISUAL environment variable. The syntax of the sudoers file is extensively documented in the sudoers(5) man page, but it is quite confusing in the beginning.

The important thing to remember is that the sudoers file contains two types of statements.


  • Aliases - Where variables are defined.
  • User Specifications - Specifies who may run what.

Alias can be of four types


  • User_Alias - Who can run the program.
  • Runas_Alias - Who should the program be run as (defaults to root).
  • Host_Alias - On which hosts should the program be allowed to run.
  • Cmnd_alias - Commands allowed.

Let's create a sample /etc/sudoers file using visudo -s

We've setup the following simple aliases

# User alias specification
User_Alias TRUSTED = cnb, mayank, sacs

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/halt
Cmnd_Alias KILL = /bin/kill, /usr/bin/killall

Now we put in the User Specification entries.

# User privilege specification
root ALL=(ALL) ALL
ALL ALL=/usr/bin/wvdial
TRUSTED ALL=SHUTDOWN, KILL

Note: ALL in the above entries is a reserved sudo word which causes all matches to succeed.

Let us dissect the first entry

root ALL=(ALL) ALL

This entry is in the form of

User_Spec Host_Spec=(Runas_Spec) Cmnd_Spec

The first word root is the user who will run the command. The first ALL allows the user to run the command on any host. The next (ALL) allows any user to run the command. And finally, the last ALL allows the user to run any command.

Thus it implies let root run on any host, as any user, any command.

The Runas_Spec can be dropped when the required privileges are those of root, as the Runas_Spec defaults to root. Thus in the second line we see,

ALL ALL=/usr/bin/wvdial

This allows ALL users to run on any host, as root, the command wvdial.

Finally the last line,

TRUSTED ALL=SHUTDOWN, KILL

Allows the users defined in the TRUSTED alias run on any host the commands defined in the SHUTDOWN and KILL alias.

This line would effectively expand to,

Let cnb, mayank, sacs run on ALL hosts as root the commands /sbin/shutdown, /sbin/halt, /bin/kill, /usr/bin/killall.

These examples are very rudimentary. One can create very powerful rules by using the sudo supported features of regular expressions and shell wildcards to build convenient and secure access control lists. All these are extensively documented in the sudoers(5) man page.

Security Concerns


sudo does numerous security checks before executing the requested command. It removes certain environment variables and checks the path for command spoofing. Yet, there are ways in which sudo access can be exploited to gain unauthorized root privileges if not carefully used.

For example, the following entry lets a person change Apache's configuration.

user ALL=/bin/rvi /etc/httpd/conf/httpd.conf

Using this seemingly innocuous entry a user could read in the /etc/shadow file, edit it and elevate himself to root privileges. This is possible even after we have used vi in the restricted mode because vi itself is running as root and can read and write any file using :r filename and :w filename.

Be very careful when you let a person write to a file. Be very sure that system files cannot be altered using the allowed access. Allowing the replacement of (updating) executables and libraries is a strict non starter. Beware of the danger of trojan introduction.

sudo is free software distributed under the BSD license and can be downloaded at here. The sudo website contains extensive documentation and pointers to various resources concerning sudo. So grab sudo and get rid of those dangerous setuid programs and shared root passwords.


Sudo Homepage
Download sudo
Troubleshooting FAQ
Sudo(8) Manual Page
Sudoers(5) Manual Page
Visudo(8) Manual Page
Other sudo-like utilities

Other articles by Chandrashekhar Bhosle

Current Rating: [ 8.41 / 10 ] Number of Times Rated: [ 22 ]

More Howtos
* Psudo root!
* GCC options you should know

Contents
Articles
  Howtos
  Interviews
  News
  Opinions
  Reviews
Comparison
Links
  Articles
  Howtos
  Interviews
  Opinions
  Reviews
  Websites
News

Print It!
Printer Friendly Version