Sudo & ACL
Sudo
If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages. [1]
If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages. [1]
If sudo is not available, then please install sudo package before progressing.
Declaring in /etc/sudoers
The file /etc/sudoers must be edited by running the command visudo
# visudo
user machine_hostname = (run_as_user) comma_separated_list_of_commands
alpha stationX.class.com = (root) /usr/bin/passwd
User alpha is able to run the command passwd as root on stationX.class.com.
beta ALL = (ALL) /usr/sbin/adduser
User beta is able to run the adduser command as any user on any machine.
gamma ALL = (ALL) ALL
User gamma is able to run any command as any user on any machine (never recommended).
Using sudo
Invoking sudo is very easy.
[alpha@stationX]$ sudopasswd
[beta@localhost]$ sudoadduser
[gamma@localhost]$ sudo ifconfig
ACL
File Access Control List (FACL) is used to allow or deny permission to specific users. If it is required to set certain permissions to a file for users other than the owner, it can be obtained by giving a specific group of users that permission. However, this kind of permission will allow every user in a group to have the same permission on a file. Again, every file has exactly one owner and one group. It is difficult if we want the file to have some given permission for more than one group.
To restrict access to a file to only some specific users other than the owner, FACL system is implemented in Linux. In FACL, specific users are allowed or denied read and/or write and/or execute permissions on a file. This method can be visualized as adding exceptions. Such as, if we want a user other than the owner to have full permission over a file, we can define an FACL to do so. Again, if we want a single user in a group to have no permission on a file, it can also be done using FACL. For example, if the file example.fileis owned by user root, user 1 & cracker group would have specific permission on the file. This scenario is illustrated in the table-
Initial permission
|
Command
|
Modified permission
|
rw-r--r--
| ||
rw-r--r--
|
setfacl -m u:user1:rw- example.file
|
Grants user1 read and write access to example.file
|
rw-r--r--
|
setfacl -m g:cracker:--- example.file
|
Denies all permission to group cracker on example.file
|
Example 2: User Andrew is able to read and write in this file. User Susan can do neither.
We have to use ACL (Access Control List) for this.
#setfacl -m u:Andrew:rw- /var/tmp/fstab //-m==modify…grants user Andrew with read & write
#setfacl -m u:Susan:--- /var/tmp/fstab //susan can neither read, write nor execute
#getfacl /var/tmp/fstab //displays acl
Comments
Post a Comment