This lab provides you with the instructions and practical experience to install and configure a third party utility called "sudo". Sudo allows you to grant access to privileged system resources that would normally require "root" access. Delegating certain tasks to specific users or groups of users is safer and therefore more secure than granting full root access. Sudo is used by both inexperienced and experienced sysadmins. It reduces the chance of errors and is fully traceable since sudo logs all activity through the syslogd (daemon)
To complete the lab you will need to create user accounts and user groups and assign users to the groups. Know how to use pkg_add with the –r (remote option) or pkg_add pointing to the path of a local disk file. You will need to know which device is used for the CDROM. Use the dmesg utility and make an entry (if necessary) in the /etc/fstab file for subsequent mounts. Mount the CDROM to an appropriate mount point. Read the man pages on the sudo utility for an overview.
Install sudo from a remote location with pkg_add (this may depend on network traffic)
pkg_add –r sudo
Alternately install sudo from CDROM using pkg_add
pkg_add /cdrom/packages/security/sudo........
(the full path to the package file is required
where /cdrom is the mount point for Disk 1)
use the pw command to create a new account
pw user add shakey -m
use the pw command to create a new group
pw group add coop
change the membership of the new group:
pw group mod coop -m shakey
sudo allows a permitted user or group of users to execute a subset
of commands as the superuser (or as another privileged user), as
specified in the sudoers file. sudo determines who is an authorized
user by consulting the file /usr/local/etc/sudoers. To edit the sudoers
file you must use the visudo command. Because of the security
implications of errors in the sudoers file, visudo will not
let you save the file until the errors are corrected. visudo will use
the environment variable VISUAL or EDITOR to determine which editor
will be called when you use the visudo command. If you are
using tcsh "setenv VISUAL ee" would change the editor that visudo uses
to the ee (easy) editor.
Our task is to give our new account named "shaky" and the "fbuser"
account the necessary privileges to mount the CDROM drive. As we saw in
the lecture there are 4 different kinds of aliases in the sudoers file.
To define a new alias for our two users we use User_Alias and the
format is
User_Alias = item 1, item 2.
We will also define a
Cmnd_Alias = command
we edit the sudoers file by running visudo
visudo
add the line:
User_Alias JUNIORS = shakey,fbuser
add the line:
Cmnd_Alias MOUNTCD = /sbin/mount /cdrom , /sbin/umount
(you must include the correct path of the commands –
you can use the which command to find out the path –
which mount will return /sbin/mount) and of course
we should give them unmounting capabilities with
umount but again only for the CDROM.
We have defined the user alias called Juniors, with users
shakey and fbuser. We have defined a command alias called
mountcd which will allow the mount command to be run. Now we
must make an entry that would allow our users to use the
mountcd command alias. We add another line:
JUNIORS ALL = MOUNTCD
(The ALL is the predefined variable that represents all systems)
Now we can test our configurations. Save the file.
Login under the shakey account and try to mount the CDROM.
At the command prompt type:
sudo mount /cdrom
If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password. (NOTE: in the default configuration this is the user's password, not the root password). This behaviour is the default and can be modified. More on that later. You will also notice that running sudo does not always prompt for a password. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in the sudoers file).
If the command is not successful then you should first look in the /var/log/messages for any errors reported. Check your spelling and definitions in the sudoers file (with visudo). Did you enter the password for shakey when prompted? Does the shakey account work correctly? Did you enter the command as described above? Is the cdrom drive available, and is it defined in the /etc/fstab file? Troubleshooting the problems is probably the most important part of the exercise and it is important to go through all of the steps and document.
Once you have successfully mounted and umounted the CDrom from the
shakey account you can go on with the next exercise.
Let’s give our juniors the ability to add a user to the system as well
as mounting cdrom’s. Find out the full path of the adduser command with
the "which" command and add that entry to the sudoers file using
visudo).
Our entry will now look like this:
JUNIORS ALL = CDROM, /usr/sbin/adduser
Now let’s test our configurations again. Save the file. Login under the
shakey account and try to create a new user called "sparky" with the
sudo adduser command. If this doesn't work, check all of your entries
for errors and check the log files. If all went well we have a new
account called sparky. Add sparky to the system group called coop (that
you created earlier).
Use one of these two commands:
pw user mod sparky –G coop
pw group mod coop -m sparky
Now we can modify our user alias called JUNIORS to include anyone that
is in the coop group. Make another entry in the sudoers file with
visudo.
User_Alias JUNIORS = shakey,fbuser, %coop
* Note the % sign in front of our system group name to denote that it
is a group.
Using what you have learned in the previous examples and using the "man" pages for the proper syntax, perform the following configurations. You are required to document your steps and include testing and troubleshooting. Your instructor will sign off on the lab when completed.
Last updated: 2010
Updated by: Cheri Weaver
Written by: Cheri Weaver