(Template file and Temple root Template cmd) |
(Template console and Template root console) |
||
Line 22: | Line 22: | ||
</ol> | </ol> | ||
− | ==Step 1: Ensure that you have sudo installed (and if not install it)== | + | == Step 1: Ensure that you have sudo installed (and if not install it) == |
Check if the sudo RPM is installed: | Check if the sudo RPM is installed: | ||
− | < | + | {{console|<nowiki>rpm -q sudo > /dev/null && echo sudo is installed || echo sudo NOT installed</nowiki> |
− | + | sudo is installed}} | |
− | sudo is installed | ||
− | |||
− | |||
If you see the message "sudo is NOT installed" then you will need to install it (as root), for example: | If you see the message "sudo is NOT installed" then you will need to install it (as root), for example: | ||
− | + | {{root console|/usr/sbin/urpmi sudo}} | |
− | |||
− | |||
==Step 2: Configure sudo== | ==Step 2: Configure sudo== |
Revision as of 08:59, 29 November 2020
Other languages Deutsch ; English ; Français |
Contents
Introduction
This document shows a simple way to configure sudo on Mageia.
The benefits of using sudo are:
- Accountability and tracking of usage and commands executed: sudo access is logged.
- Simplifies management of privileged root access.
- You do not have to share the root password with all the admin users but can still allow privileged root access as needed.
Step 1: Ensure that you have sudo installed (and if not install it)
Check if the sudo RPM is installed:
sudo is installed
If you see the message "sudo is NOT installed" then you will need to install it (as root), for example: Template:Root console
Step 2: Configure sudo
It is possible to configure sudo in many ways. You can, for example, enable specific commands for specific groups or users.
Here, we will simply configure sudo so that any user in the wheel group is allowed to use sudo to get root privilege.
When a user who is a member of the wheel group runs a sudo
command, e.g. /bin/sudo -i
, they will be prompted to type in their own password.
This improves security by ensuring a password is needed to gain root privilege.
The sudo configuration file can be edited using the visudo
command.
However, we can avoid having to edit the long and complex sudo configuration file to enable the wheel group by simply (as root) running the following:
- Create the file (the choice of the name is free and it can possibly be related to its content, e.g. 01wheel) to allow the members of the wheel group to access root via sudo.
- Execute the command indicated as follows, as root (this creates and writes the line and only gives read permission to the file
01wheel
).
Template:Root console A detailed explanation of why files in the directory /etc/sudoers.d/ are named the way they are can be found in the manual page for the sudoers file:
Search for "etc/sudoers.d" preceded by a "/" sign by typing: /etc/sudoers.d
Step 3: Add users to the wheel group to allow them to have root privilege
It is much simpler to manage the list of users allowed root access by simply adding or removing them from a group.
Historically, the wheel group has been used for this on Unix and Unix like systems.
You can add users to a group in (at least) two ways:
- Using the Mageia Control Center:
System -> Manage users on System -> select user -> Edit ->
for each user, select groups and add a tick to the "wheel" group entry
- Using command-line interface:
Edit /etc/group
and update the entry for wheel by adding the names of the users as a comma delimited list on the entry for wheel.
In the following example, we will add users: ken and dennis to the wheel group.
Change:
wheel:x:10:
To:
wheel:x:10:ken,dennis
Step 4: Newly added users to the wheel group may need to logout and login again
If a user who was newly added to the wheel group was also logged in at the same time they were added to the wheel group then they need to logout and login again for their sudo access to function.
Using sudo
Having installed and configured sudo as shown here, users who are members of the wheel group can use sudo to run privileged root commands.
Example 1 - to install all pending updates: Template:Sudo
Example 2 - start a root shell
Template:Sudo to root
Here, sudo's "-i" option causes the shell to start as if root had logged in (and has root's environment set).
Hence, the prompt is now a root prompt and if run in a Gnome Terminal, the tab will have "root@att.com".
Tips
tip 1: avoid using root
Avoid using the root account as much as possible.
If you really need root privilege then use it but it's more secure to avoid unnecessary use of the root account.
tip 2: with tabbed terminal, keep one tab for root
If you use a tabbed terminal (eg like Gnome Terminal) it's handy to open 1 tab as a root shell and other tabs as non-root.
This saves switching in and out of root because you can simply select which terminal tab you want to work in.
tip 3: always use full pathname for commands prompting for passwords
Instead of using the command sudo, make habit to use the command /bin/sudo. (This also applies to using /bin/su instead of just su.)
Why? For any command that causes a password prompt, using a full path is more secure (than just the command name).
A technique used by hackers is to exploit your trust that when you type sudo you believe you are running the real sudo.
If a hacker can gain access to your account, then your $PATH can be modified to run a spoofed sudo which captures your typed password,
prints an error message, and then execs the real sudo.
The user thinks "Oh, I miss-typed the password. I'll type it again".
tip 4: monitor sudo usage
The sudo logfile is /var/log/sudo.log.
Take a look at the logfile from time to time to understand what is "normal" sudo activity on your system. Notice the date/time and TTY values in the log. Pay attention to odd or unusual log entries. For example, sudo executed at a time when you were not using the machine or from a TTY not normally used.
Links
Wikipedia | http://en.wikipedia.org/wiki/Sudo |
sudo in a nutshell | http://www.sudo.ws/sudo/intro.html |
sudo sandwich | http://xkcd.com/149/ |
Ken Thomson | http://en.wikipedia.org/wiki/Ken_Thompson |
Dennis Ritchie | http://en.wikipedia.org/wiki/Dennis_Ritchie |