From Mageia wiki
Jump to: navigation, search
Drakconf multiflag.png
Other languages

Deutsch ; English ; Français


Introduction

This document shows a simple way to configure sudo on Mageia.

The benefits of using sudo are:

  1. Accountability and tracking of usage and commands executed: sudo access is logged.
  2. Simplifies management of privileged root access.
  3. You do not have to share the root password with all the admin users but can still allow privileged root access as needed.

Step 1: Ensure that you have sudo installed (and if not install it)

Check if the sudo RPM is installed:

$ rpm -q sudo > /dev/null && echo sudo is installed || echo sudo NOT installed
sudo is installed

If you see the message "sudo is NOT installed" then you will need to install it (as root), for example:

# /usr/sbin/urpmi sudo

Step 2: Configure sudo

It is possible to configure sudo in many ways. You can, for example, enable specific commands for specific groups or users.

Here, we will simply configure sudo so that any user in the wheel group is allowed to use sudo to get root privilege.
When a user who is a member of the wheel group runs a sudo command, e.g. /bin/sudo -i, they will be prompted to type in their own password.
This improves security by ensuring a password is needed to gain root privilege.

The sudo configuration file can be edited using the visudo command.
However, we can avoid having to edit the long and complex sudo configuration file to enable the wheel group by simply (as root) running the following:

  # Create file /etc/sudoers.d/01wheel to enable members of wheel group to access root via sudo
  # (copy & paste, run as root)

  echo "%wheel ALL=(ALL)  ALL" > /etc/sudoers.d/01wheel
  chmod 440 /etc/sudoers.d/01wheel

  # end copy & paste

A detailed explanation of why files in the directory /etc/sudoers.d/ are named the way the are can be found in the manual page for the sudoers file:

$ man sudoers   

In order to find the explanation, while running "man sudoers", search for "etc/sudoers.d" by typing: /etc/sudoers.d

Step 3: Add users to the wheel group to allow them to have root privilege

It is much simpler to manage the list of users allowed root access by simply adding or removing them from a group.
Historically, the wheel group has been used for this on Unix and Unix like systems.

You can add users to a group in (at least) two ways:

  • Using the Mageia Control Center:

System -> Manage users on System -> select user -> Edit -> for each user, select groups and add a tick to the "wheel" group entry

  • Using command-line interface:

Edit /etc/group and update the entry for wheel by adding the names of the users as a comma delimited list on the entry for wheel.
In the following example, we will add users: ken and dennis to the wheel group.

Change:

wheel:x:10:

To:

wheel:x:10:ken,dennis

Step 4: Newly added users to the wheel group may need to logout and login again

If a user who was newly added to the wheel group was also logged in at the same time they were added to the wheel group then they need to logout and login again for their sudo access to function.

Using sudo

Having installed and configured sudo as shown here, users who are members of the wheel group can use sudo to run privileged root commands.

Example 1 - to install all pending updates:

[ken@google.com ~] $  /bin/sudo /usr/sbin/urpmi --auto-update
[sudo] password for ken:

Example 2 - start a root shell

[dennis@att.com ~] $ /bin/sudo -i
[sudo] password for dennis:
[root@att.com ~] # 

Here, sudo's "-i" option causes the shell to start as if root had logged in (and has root's environment set).
Hence, the prompt is now a root prompt and if run in a Gnome Terminal, the tab will have "root@att.com".

Tips

tip 1: avoid using root

Avoid using the root account as much as possible.
If you really need root privilege then use it but it's more secure to avoid unnecessary use of the root account.

tip 2: with tabbed terminal, keep one tab for root

If you use a tabbed terminal (eg like Gnome Terminal) it's handy to open 1 tab as a root shell and other tabs as non-root.
This saves switching in and out of root because you can simply select which terminal tab you want to work in.

tip 3: always use full pathname for commands prompting for passwords

Instead of using the command sudo, make habit to use the command /bin/sudo. (This also applies to using /bin/su instead of just su.)

Why? For any command that causes a password prompt, using a full path is a more secure (than just the command name).

A technique used by hackers is to exploit your trust that when you type sudo you believe you are running the real sudo.
If a hacker can gain access to your account, then your $PATH can be modified to run a spoofed sudo which captures your typed password, prints an error message, and then execs the real sudo.
The user thinks "Oh, I miss-typed the password. I'll type it again".

tip 4: monitor sudo usage

The sudo logfile is /var/log/sudo.log.

Take a look at the logfile from time to time to understand what is "normal" sudo activity on your system. Notice the date/time and TTY values in the log. Pay attention to odd or unusual log entries. For example, sudo executed at a time when you were not using the machine or from a TTY not normally used.

Links

Wikipedia http://en.wikipedia.org/wiki/Sudo
sudo in a nutshell http://www.sudo.ws/sudo/intro.html
sudo sandwich http://xkcd.com/149/
Ken Thomson http://en.wikipedia.org/wiki/Ken_Thompson
Dennis Ritchie http://en.wikipedia.org/wiki/Dennis_Ritchie