Open main menu

CDOT Wiki β

Changes

OPS245 Lab 4

4,061 bytes added, 12:59, 10 January 2021
m
populated the sudoing investigation.
=INVESTIGATION 2: Controlling Sudo Elevated Privileges=
 When you created your first user on your host, centos1 and centos2, you made them an administrator. This allowed them to (when they request it) run commands with root priveleges. But you won't always know in advance if a user is going to be an administrator (what if someone gets promoted, or changes jobs?), so you can't always do that in advance. Checking that box also allows them to run ''any'' command with root priveleges by using sudo. In many cases, administrators won't be allowed to do ''everything'', but instead be restricted to certain tasks (e.g. managing user accounts, managing software, managing services, etc.). Sudo will allow us this detailed control, so we can pick and choose who gets to run which commands as root. === Part 1: Finding out why Your First User can do Anything? === You've already observed that your first user can use sudo to execute any command, but what about their account actually makes that possible. <ol><li>View (but do not edit) the contents of /etc/suduoers. Search for your user account. You won't find them.</li><li>Check the contents of /etc/passwd and /etc/group for entries with your user account. Is there anything different between your account and ops245_1?</li><li>You should find that your user is part of a secondary group. What group is it? Are they part of that group on centos3?</li><li>The '''wheel''' group represents administrators with complete sudo privileges. Go back to /etc/sudoers and read the entry for wheel. It should look something like this:<br /><b><code><span style="color:#Under construction3366CC;font-size:1.2em;">%wheel ALL=(ALL) ALL</span></code></b><br />::This means that anyone who is part of that group can run ''any'' command, as ''any'' user. Effectively, they can use sudo to be root.::So why not just give those admins the root password? </li><li>During the lecture, you should have learned some reasons to limit access to the actual root account, and why using sudo is a better practice. Record your observations.</li><li>On centos3, add your user to wheel as a secondary group so you can use sudo the same way there that you can on your other machines.</li></ol> === Part 2: Adding Limited Sudo Capabilities to Other Users === The wheel group is very useful for senior admins who should be able to run any command, but what about admins who haven't demonstrated the responsibility necessary to wield that power yet? We can use the sudoer files to give them priveleges to run some commands, but not all. Note: While this could be done in the main '''/etc/sudoers''' file, the better practice is to create files for each admin user in the '''/etc/sudoers.d''' directory. <ol><li>Login as your '''ops245_1''' account. Try to run the command <b><code><span style="color:#3366CC;font-size:1.2em;">systemctl restart sshd</span></code></b><br />::If successful, that command would restart the sshd service on that machine, but that user does not have permission to do that.</li><li>Try running that command again, this time with sudo.</li><li>It still won't work, because this user does not have permission to use sudo for anything.</li><li>Create a file called '''ops245_1''' in '''/etc/sudoers.d'''. Add the following line to it:<b><code><span style="color:#3366CC;font-size:1.2em;">ops245_1 ALL=(ALL) /usr/bin/systemctl</span></code></b>::This indicates this user can use sudo to run systemctl commands as if they were any account (root is the important one).</li><li>Try restarting sshd again. This time it should work.</li><li>Change to your '''ops245_2''' account, and try restarting sshd (with and without sudo).::That account still can't. Sudo entries only affect the users and groups listed.</li><li>We don't want '''ops245_2''' to manage services, that's a job for '''ops245_1''', but we do want them to manage user accounts. So create a sudeors file for '''ops245_2''' and set it so that they can run the useradd, usermod, userdel, groupadd, groupmod, and groupdel commands through sudo.</li><li>Test to make sure it works.</li></ol> 
=INVESTIGATION 3: Managing System Services and Run-levels=
932
edits