Providing root privileges for users Using SUDO

Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.

Debian’s sudo package has the password timeout set to 15 minutes. This means that when you first enter your password, as long as you don’t wait more than 15 minutes between sudo commands, you won’t have to enter it again. The password timeout can be immediately expired with sudo -k.

Debian’s sudo is compiled with

–with-exempt=sudo
–with-secure-path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:

As a consequence, the PATH of the user is ignored except if the user is in group sudo.

Installing SUDO in Debian

# apt-get install sudo

This will complete the installation of sudo.

SUDO Configuration file is /etc/sudoers

Default sudoers file looks like below

# /etc/sudoers
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

Only last line is valid now this means that the root user can run any command.

If you want to give perticular user to run any command use the following line in /etc/sudoers file

#vi /etc/sudoers

add the following line

user ALL=(ALL) ALL

here user means username

To run one command as root

sudo command

For more commands, run your shell with sudo.

sudo sh (if sh is your shell.)

Be careful when you are root. When you are done, type exit

SUDO Configuration examples

# User alias specification

User_Alias ADMINS = user1, user2, user3
User_Alias WEBMASTERS = user4, user5, user6

# command alias specification

Cmnd_Alias APACHE = /usr/local/sbin/kickapache
Cmnd_Alias TAIL = /usr/bin/tail

Cmnd_Alias SHUTDOWN = /sbin/shutdown

Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg

# privileges

ROOT ALL = (ALL) ALL
WEBMASTERS ALL = PASSWD : APACHE, TAIL
admin ALL = NOPASSWD : /etc/init.d/apache

Running Commands Using SUDO

To get a file listing of an unreadable directory

$sudo ls /usr/local/protected

To list the home directory of user test on a machine where the file system holding ~test is not exported as root

$sudo -u test ls ~test

To edit the index.html file as user www:data

$sudo -u www:data vi ~www/htdocs/index.html

To shutdown a machine:

$sudo shutdown -r +15 “quick reboot”

To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to

make the cd and file redi-rection work.

$sudo sh -c “cd /home ; du -s * | sort -rn > USAGE”

If you want more options about sudo check sudo man page

Using Rootsh with SUDO

One more nice tool to use with sudo is rootsh

Download and install rootsh

Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It’s main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.

Start a shell with logging of input/output. Rootsh must be started via sudo if you want to become root. It does not raise your privileges on it’s own. You can run rootsh as a standalone application if you only want to log your own user’s session. If you call rootsh with additional commands, these will be passed to the shell.

You can create an entry in /etc/sudoers file

trusted_user host_or_ALL = /bin/rootsh

Rootsh Syntax

rootsh [OPTION]… [–] [COMMANDS]

$sudo rootsh

User should see himself in a root shell, as if he typed “su -” or “sudo -s”.

Main advantage of this is, everything user types will be sent to syslog. So if he tries to access some secure files from the server you can catch him using the logfiles from your syslog server.

Rootsh Usage Examples

$sudo rootsh

Start a logged root shell

$sudo rootsh -u oracle

Start a logged shell in the context of user oracle.

$rootsh -f mysession.log –no-syslog

Start a new shell for your user id, write protocol into mysession.log, do not send anything to syslog. This is

identical to “script -f mysession.log”

$sudo rootsh -i -u oracle lsnrctl stop

Run command “lsnrctl stop” as user oracle. (this will call sh -c “lsnrctl stop”)

$sudo rootsh -i -u oracle — ls -l

Run command “ls -l” as user oracle. (this will call sh -c “ls -l”)

Sponsored Link

4 thoughts on “Providing root privileges for users Using SUDO

  1. Giving sudo for dpkg seems harmless, but remember that the user can easily create a package which contains a dummy file and then puts his commands in the postinst script. This script is then executed as root upon installing.

  2. hi. i have a question, u know the chips in a pc how can i control the in formation on it like in macro programming and take complete control of my pc with out external entity manipulating it threw Internet

  3. How sweet… Just installed Debi(L)an 6.0.1a …
    “apt-get install sudo” –> not work, cause I’m not sudoer and command “sudo apt-get install sudo” NOT work. Its a Catch22 situation. And, OF COURSE, root login is disabled by default. What a paranoia …. why do somthing easy, when you can spent few hours on that?

  4. I found some sites where they do the: sudo adduser paul admin
    but my linux does not have the admin group so I use:
    sudo adduser paul sudo

Leave a comment

Your email address will not be published. Required fields are marked *