wiki.getshifting.com

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools

Trace: Sudo
sudo

Table of Contents

Sudo

Summary: All about sudo.
Date: Around 2011
Refactor: 29 April 2025: Checked links and formatting.

,

Because of the raised security demands within my company I recently had to learn a lot about things as su, sudo, etc. LDAP authentication was already never a problem but the enhanced security you'll get from a proper sudo configuration was something I never explored before. I found out that sudo is not the holy grail regarding security. If you want to get to the perfect configuration you'll have to maintain the configuration on a daily base to keep up with new commands and bypasses. I did also found out that if you implement sudo together with a trusty logging tool and a security policy you're almost there as well. This page is about how I implemented sudo in combination with LDAP authenticated groups and is tested and implemented on SuSE and AIX, both using eDirectory as the LDAP database.

Sudo Security

I implemented sudo with a restriction on which commands are not allowed to use. There are however some downsides on that. Sudo only knows the commands that are not allowed by name, and not by functionality. So first, you'll have to list all the commands that are not allowed to use, and then you'll find out that your users can rename the commands and run them by using the new name. I tested that and I have to admit, it works smoothly. So it's not really secure, but it does provide a warning when users first try to run the restricted commands. They should be aware that it's not allowed to run those commands (by, for example, a security policy), and sudo logs everything to my syslog server. I talked about it with my security officer and made the deal that it is ok for now, and that he will deliver a list with all the allowed commands. Then still, I would like to test if I can rename a restricted command to an allowed command but that all in time. Furthermore, there is a second flaw in the security setup. I restricted the shells off course, to prevent users to have a shell with root access, which is practically the same as logging in as root. A lot of programs have the possibility to do a shell escape, for example vi. That would mean they can start vi as root using sudo and then escape to the shell (using ! followed by the command). There is a way to prevent that, it's called noexec (search the manual for noexec) but it also requires a list of programs which have the possibility to do a shell escape. Again, something for my security officer.
Another way around sudo is the command: 

sudo sudo -u <adminuser> bash

This will give you a bash shell owned by the adminuser you specified. This can be blocked however, you could set that users can only sudo as root by adjusting the ALL within the () signs.

Sudo Logging

By default sudo logs every command to /var/log/messages or whatever you're using as a syslog server. I tried to change a few settings but the documentation on this subject is a bit… well, it's missing. There is documentation but when trying to set it up all it does is giving me syntax errors and I can't find a proper example.

SuSE

SuSE Default Sudo

This is the default sudo config file on SLES 10 SP1: 

susesudo:~ # cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw    # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

SuSE LDAP Sudo

When you have SuSE LDAP enabled you also want sudo to handle your administrator roles. When you issue the command id <username> you'll see of which groups a user is member. All of these groups can be used as a sudo group: 

susesudo:~ # id sjoerd
uid=610(sjoerd) gid=606(ssh-access) groups=606(ssh-access),612(ssh-ict)

So when you want to add a group like that you can enter this line in the sudo file: 

%ssh-ict ALL=(ALL) NOPASSWD: ALL

which will give everyone in this group passwordless sudo access.
If you consider all security and limitation consideration I would use this sudo file: 

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias   SHELLS = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, \
                      /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, \
                      /usr/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, \
                      /usr/sbin/sliplogin, /usr/sbin/uucp/uucico, /usr/sbin/snappd, \
                      /bin/bash, /usr/bin/bash, /usr/local/share/bin/bash, \
                      /usr/local/bin/bash
Cmnd_Alias   SU     = /usr/bin/su
Cmnd_Alias   PASS   = /usr/bin/passwd root
Cmnd_Alias   VISUDO = /usr/sbin/visudo

# Defaults specification

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw    # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
%ssh-susesudo ALL=(root) NOPASSWD: ALL, !SU, !SHELLS, !PASS, !VISUDO
%ssh-ict ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

AIX

By default, sudo log everything to SYSLOG, but after you've changed the sudo file you should also refresh the syslog service: 

refresh -s syslogd

AIX default sudo

When you just installed the sudo rpm on an AIX box you'll have this configuration: 

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

AIX ldap sudo

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias   SHELLS = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, \
                      /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, \
                      /usr/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, \
                      /usr/sbin/sliplogin, /usr/sbin/uucp/uucico, /usr/sbin/snappd, \
                      /bin/bash, /usr/bin/bash, /usr/local/share/bin/bash, \
                      /usr/local/bin/bash
Cmnd_Alias   SU     = /usr/bin/su
Cmnd_Alias   PASS   = /usr/bin/passwd root
Cmnd_Alias   VISUDO = /usr/sbin/visudo

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
%ssh-aixsudo ALL=(root) NOPASSWD: ALL, !SU, !SHELLS, !PASS, !VISUDO
%ssh-ict ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

AIX Runas

On AIX I recently added th Runas aliases: 

# Runas alias specification
Runas_Alias  USER    = user-1, user-2, user-3, user-4, user-5, user-6, user-7, user-8, user-9, user-10

sjoerd ALL=(USER) NOPASSWD: /usr/bin/cp

This gives the user sjoerd the possibility to run the cp command as one of the specified users: 

sudo -u user-1 cp filea fileb

This is useful when you want the new files to have the correct owner and permissions.

Useful Links

Sudo homepage

sudo.txt · Last modified: by 127.0.0.1