Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.

Slides:



Advertisements
Similar presentations
Linux Users and Groups Management
Advertisements

Intel® Manager for Lustre* Lustre Installation & Configuration
Chapter 2 Accessing Your System and the Common Desktop Environment.
1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller
Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.
User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Cyber Patriot Training
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Introduction to Unix Administration Objectives –to identify the basic concepts of Unix administration Contents –history of Unix –unix vendors and standards.
CIS250 OPERATING SYSTEMS WIN2k Lab # 3 Creating User Accounts Defining User Profiles Creating Groups Setting System Policies.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Unix System Administration Rootly Powers Chapter 3.
CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.
1 Advanced Unix Administrative Tools. 2 VMWare Image Setup We all need to check out the VMWare FC6 image that you’ll be using We all need to check out.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
IT2204: Systems Administration I 1 6b). Introduction to Linux.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
ITI-481: Unix Administration Meeting 3 Christopher Uriarte, Instructor Rutgers University Center for Applied Computing Technologies.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
System Administration 1.  system administration  user and group management 2.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
A Practical Guide to Fedora and Red Hat Enterprise Linux Unit 9: Basic Linux Administration Chapter 11: System Administration: Core Concepts Chapter 16:
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.
Agenda Overview of Seneca Computer System File Servers / Student Computer Accounts Telnet application How to Logon to Learn / Phobos accounts How to Change.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
The Saigon CTT Chapter 10 Managing Users. The Saigon CTT  Objectives  Define the requirements for user accounts  Explain group and group accounts 
ITI-481: Unix Administration Meeting 3 Christopher Uriarte, Instructor Rutgers University Center for Applied Computing Technologies.
SCSC 455 Computer Security Chapter 3 User Security.
Agenda Overview of Seneca Computer System File Servers / Student Computer Accounts Telnet application How to Logon to Learn / Phobos accounts How to Change.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.
CS 1451 UNIX OPERATING SYSTEM Lecture 1. CS 1452 OVERVIEW UNIX Operating System  Multi-Tasking  Multi-User  Interactive Supports computer systems 
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Cisco CLI (command line interface). login with the user password enter privileged mode with the enable password disable or quit Advanced help features:
Ubuntu Checklist. 1.Examine the ReadMe.txt file 2.Manage user and root passwords – sudo passwd change password of username –Change password policies in.
Server Security Sudo Lars Noodén March – April 2009.
UNIX Command RTFM: sudo(8)
Security Risk Assessment Determine how important your computer is to your group ● Mission critical? ● Sensitive information? ● Expensive hardware? ● Service.
System Administration II
Overview – SOE Sudo SEP 2014.
User Management.
Sudoers Meryll Larkin - that's me Why you are here:
Overview – SOE Sudo Dec 2013.
Installation and Configuration
Chapter 11: Managing Users
User Management.
Overview – SOE Sudo September 2016.
Common SQL Server Mistakes and How to Avoid Them
Overview – SOE Sudo November 2015.
Chapter 3 Rootly Powers.
Users and Accounts Lab 0.1. Users and Accounts Lab 0.1.
Linux Users and Groups Management
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
COP 4343 Unix System Administration
OPS235: Week 1 Installing Linux ( Lab1: Investigations 1-4)
User Management lctseng.
Operating System Security
Leveraging Visual Basic for Security
User Management.
BACHELOR’S THESIS DEFENSE
Module 13 System and User Security
Tools and Explanations for Mac Beginners
Macs without binding to Active Directory
Presentation transcript:

Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06

Outline *Intro to Sudo Command *Configuring Sudo *Sudo w/ Clusters *Ethics & Security *Recommendations

What Exactly is Sudo? Access Configuration Tool Non-root as root w/out passwd *root=superuser Non-root as root w/out passwd *root=superuser By default, installed on most Unix-based OS’s Widely used at academic institutions and small, low- budget businesses Its FREE!

Sudo Configuration Prefix command with “sudo”, prompts for password, accepts or denies (example) “% sudo chmod u+rw file.txt” “% Password: _______” “% Password: _______” /etc/sudoers, /usr/sbin/visudo 2 Main Components: Aliases & User Specification

/etc/sudoers Example *ALIASALIASNAME = item1, item2,… //User_Alias SYSADMINS = Jensen, Feehan, //Host_Alias CLUSTERHEADS = castaway Cmnd_Alias DELEGATE = /bin/chgrp, /bin/chown Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/tcsh User Specification root (superuser) ALL = (ALL) ALL SYSADMINS CLUSTERHEADS = DELEGATE, !SHELLS

Why is sudo right for St. Olaf Beowulf Cluster? Free Expensive solutions= sysmark powerpassword Expensive solutions= sysmark powerpassword Highly Configurable Users perform specific tasks Users perform specific tasks Secure edit via VISUDO Locks sudoers file against multiple simultaneous edits Locks sudoers file against multiple simultaneous edits Provides basic sanity checks, checks for parse errors Provides basic sanity checks, checks for parse errors Powerful Logging facilities /var/log/sudo.log /var/log/sudo.log.bash_history.bash_history Allows for Least Privilege methodology Least access they need…minimizes any damage a user or attacker can make Least access they need…minimizes any damage a user or attacker can make

Sudo Risks Sudo passwords Every account w/ full sudo access= < attacker likelihood for success Every account w/ full sudo access= < attacker likelihood for success How can they get access to passwords? How can they get access to passwords? /etc/shadow via sudo Sudo hijacking By default, Sudo uses tickets--password caching By default, Sudo uses tickets--password caching Multiple sessions per user with same ticket! Multiple sessions per user with same ticket! Attacker can piggyback on sudo privileges w/out his/her password Prevent tip: disable password caching

Piggyback Attack SysAdmin John logs into ClusterHead John runs Sudo Command Sudo Password is cached for 5 min: John logs off Attacker Gains Access to John’s Terminal Session Attacker Uses Sudo without John’s password

Sudo Risks (cont) Sudo Escalation Exclusion vs. Inclusion Exclusion vs. Inclusion if improperly configured, Limited Sudo  Full Sudo JeffALL = ALL, !SHELLS Copy /bin/sh to /home Then run “sudo /home/sh” Logged in as ROOT Run “sudo /bin/sh” Error: Not Allowed by sudo

Recommendations How to delegate privileges w/ Beowulf cluster? Currently, only active configuration of sudo is root =ALL, admin=ALL Currently, only active configuration of sudo is root =ALL, admin=ALL StudentAdmin/Project Leader--learn sudo inside and out Don’t make the mistake of using exclusion. Start Basic—increase privileges as necessary If configuring sudo, also should configure ssh Don’t want anyone logging into childnodes as root PDF Report on Secure Automation with Sudo & SSH Robert Napier—Cisco Systems

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.