Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Administration II

Published byBarrie Hill Modified over 7 years ago

Similar presentations

Presentation on theme: "System Administration II"— Presentation transcript:

1 System Administration II
Users and Security Software Management

2 Users and security Advanced

3 Quick Review: su

4 su switch user Temporarily become another user without Notes:
logging out logging in as a different user do work as new user log in as the original user try to remember where you were as original user su [options] [commands] [-] [username] Notes: No username  become root - assume attributes of the new user

5 su Still have to know the password of the new user
Have a new environment That of the new user (if – specified) When exited return to previous user Can su within su Considered poor practice Consumes extra resources How many times have you “su’ed” Who are you now? Are you the same user in a higher layer Best to su, do the task and return to base user Start a new su from base if needed

6 Problem Root authority is required for many System Administration duties Systems can be large and complex  Requires more than 1 person to run Need backup personnel Vacations, sickness, etc  Must share the root ID and password Security problem If an error or sabatage Who did it?

7 sudo and sudoers

8 SUDO and SUDOERS The sudo command and the sudoers file work together
Allows access as needed to system resources As permitted At the appropriate level What can be accessed Allows tracking of who did what

9 SUDO Program that allows users to run programs with “elevated” (different) privilages E.g. at the root level Each sysadmin uses their own personal id  Knows who did a command Typically via a log file Each sudo ID can have its own privilages From full root authority To only being able to run a single command with a specific limit on parameters as a specific user

10 SUDO Installation (Debian) Configuration apt-get install sudo
/etc/sudoers Contains who can do what

11 SUDO Permitted users can execute a commands as a different user
As specified in the sudoers file Can be: any user even root Real and effective uid and gid are set to match those of the target user as specified in the passwd file

12 SUDO sudo requires users authenticate themselves with a password
By default the current user's password NOT the other user’s password Once a user has been authenticated, a timestamp is set User may sudo without a password for a short period of time Typically 5 minutes unless overridden in sudoers

13 SUDO Authorized users are determined from the file /etc/sudoers
-v flag updates the time stamp without running a command Password prompt will also time out if the user's password is not entered within 5 minutes Default can be overridden via sudoers An can be sent if a non-sudoer tries to sudo Defined at configure time or the sudoers file Destination defaults to root -l or -v flags allows users to determine if they can sudo Mail will not be sent if an unauthorized user tries use sudo with these flags

14 Popular Options -l -k -b
-l (list) option will list out the allowed (and forbidden) commands for the user on the current host. -k -k (kill) option to sudo invalidates the user's timestamp by setting the time on it to the epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. -b -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process.

15 Other Options -V -L -h -v
-V (version) option causes sudo to print the version number and exit. If the invoking user is already root the -V option will print out a list of the defaults sudo was compiled with as well as the machine's local network addresses. -L -L (list defaults) option will list out the parameters that may be set Defaults line along with a short description for each. This option is useful in conjunction with grep(1). -h -h (help) option causes sudo to print a usage message and exit. -v -v (validate) option will update the user's timestamp Prompts for the user's password if necessary Extends the sudo timeout for another 5 minutes Or whatever the timeout is set to in sudoers Does not run a command

16 Other Options -K -K (sure kill) option to sudo removes the user's timestamp entirely. Likewise, this option does not require a password. -p -p (prompt) option allows you to override the default password prompt and use a custom one. If the password prompt contains the %u escape, %u will be replaced with the user's login name. Similarly, %h will be replaced with the local hostname. -u -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.

17 Other Options -c -c (class) option causes sudo to run the specified command with resources limited by the specified login class. class argument can be either a class name as defined in /etc/login.conf, or a single '-' character. Specifying a class of - indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the class argument specifies an existing user class, the command must be run as root, or the sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes where sudo has been configured with the --with-logincap option. -a -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an ``auth-sudo'' entry in /etc/login.conf. This option is only available on systems that support BSD authentication where sudo has been configured with the --with-bsdauth option.

18 Other Options -s -H -P -S --
-s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in passwd(5). -H -H (HOME) option sets the HOME environment variable to the homedir of the target user (root by default) as specified in passwd(5). By default, sudo does not modify HOME. -P -P (preserve group vector) option causes sudo to preserve the user's group vector unaltered. By default, sudo will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. -S -S (stdin) option causes sudo to read the password from standard input instead of the terminal device. -- -- flag indicates that sudo should stop processing command line arguments. It is most useful in conjunction with the -s flag.

19 Return Values sudo will the return value of the program that was executed Only if the program successfully executes sudo quits with an exit value of 1 if: there is a configuration/permission problem sudo cannot execute the given command An error string is sent to stderr sudo cannot stat one or more entries in the user's PATH an error is printed on stderr the directory does not exist or if it is not really a directory The entry is ignored and no error is printed This should not happen under normal circumstances. The most common reason for stat to return ''permission denied'' is if an automounter is running and one of the directories in the PATH is on a machine that is currently unreachable

20 SUDO sudo can log both successful and unsuccessful attempts (as well as errors) to: syslog a log file or both By default sudo will log via syslog Changeable at configure time Via the sudoers file

21 sudoers file – simple example
Example sudo entries with all four fields: superadm ALL=(ALL) ALL superadm ALL=(ALL:ALL) ALL First field specifies user that will be granted privileges for some command(s) superadm in this case Second field is rarely used It's a list of hostnames on which this sudo entry will be effective. On standard setups only localhost is relevent so this field is usually left as ALL Fourth (last) field is the list of commands superadm will be able to run with elevated privileges ALL means all commands Otherwise use a comma separated list of commands Third field specifies which users (and groups) the superadm user will be able to run the following commands as Optional and written within the () (ALL:ALL) specifies user:group ALL means anyone can be chosen (unrestricted). If this field is omitted, it means the same as (root).

22 sudoers examples operator ALL= /sbin/poweroff
the UID operator to run the command poweroff from any terminal pete boa = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root pete may change passwords from the boa host for any purely alphabetic id but not root jill viking, queen = (operator) /usr/local/op_commands/ jill can run any command in the directory /usr/local/op_commands/ as user operator from the viking and queen hosts

23 sudoers aliases Sudo supports aliases for: users -> User_Alias
run commands as other users -> Runas_Alias host -> Host_Alias command -> Cmnd_Alias User_Alias OPERATORS = joe, mary, jude Runas_Alias OP = root, operator Host_Alias OFNET = / Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Where: User alias OPERATORS includes the users joe, mary and jude Run alias OP includes the users root and operator, Host alias OFNET includes the network (the /24 subnet) Command alias PRINTING includes the commands lpc and lprm

24 Sample sudoders file User_Alias OPERATORS = joe, mary, jude
Runas_Alias OP = root, operator Host_Alias OFNET = / Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm OPERATORS ALL=ALL # users in the OPERATORS group can run any command from any terminal linus ALL=(OP) ALL # linus can run any command from any terminal as any user in the OP group # (root or operator) user2 OFNET=(ALL) ALL # user2 may run any command from any machine in the OFNET network, as any user user3 ALL= PRINTING # user3 may run lpc and lprm from any machine go2linux ALL=(ALL) ALL # go2linux may run any command from any machine acting as any user

25 sudo oddities sudo works on programs  cannot su cd /path Solution:
sudo –i Elevate to root Starts a new shell, root since no ID specified Run your command(s) End with <ctrl-D>

26 Sudoers Manual Sudoers directives can get as complicated as you need
This was just a simple introduction Here is a site with more gory details:

27 Sudo Summary sudo and sudoers was created to:
Allow certain users to run as other users with specific restrictions Can be set up so root is not required or even allowed System can still be maintained Can track who made each change Requires a unique id per system admin Note: Ubuntu installs with root disabled

28 Use sudo to Make executing root commands easier
Make it easier for users to use new commands Restrict and track who has run sensitive commands Understand how Ubuntu works Use su, it’s easier

29 Program management

30 Installing and Maintaining Software
Software on a system must be maintained: Correct installation of new software Updating of existing software Removal of unneeded data/software Task automated by: Installer Package management system

31 package manager (package management system)
For software it is a collection of tools that automates the process of installing upgrading configuring removing Packages contain metadata consisting of: software's name description of its purpose checksum version number vendor list of dependencies After installation the metadata is stored in a local package database Maintains a database of software dependencies and version information Prevents software mismatches and missing prerequisites

32 Package Management System
Many varieties depending on base OS 2 main Linux styles Debian dpkg – base tool apt – cli interface synaptic – gui interface Red Hat yum – base tool Has a cli PackageKit – gui interface

33 Windows Windows Installer Package Manager InstallShield Old school
Windows XP, Server 2003, Server 2008… Package Manager Comes with Vista and later Install/remove hotfixes Enable/disable services Use an answer file Do multiple installs/uninstalls with one command InstallShield #1 vendor install tool Complete toolset to "productize, bundle and install" prodcuts MSI format Virtual Format Old school setup.exe or install.exe Custom script to install program

34 Package Management System
PMS vs. Installer Package Management System Installer Typically part of the operating system. Each product comes bundled with its own installer. Uses a single installation database. Performs its own installation, sometimes recording information about that installation in a registry. Can verify and manage all packages on the system. Only works with its bundled product. Single package management system vendor. Multiple installer vendors. Single package format. Multiple installation formats.

35 Last Notes Cross Platform installers exist InstallAnywhere
Windows NT, mas OS, Unix-like Installer VISE Winddows, Mac OS X InstallJammer Windows, Linux, Unix-like and others…

36 Package Managers Make installing easier Make updating easier
Make removing programs easier All of the above None of the above

Download ppt "System Administration II"

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.

Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Installing software on personal computer

Installing software on personal computer
V2012.13. 2 Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 10 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.

V Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 10 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.

Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.
V2012.13. 2 Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 9 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.

V Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 9 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.

An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
2.0.0.3 – Introduction to the Shell 10/1/2015 Introduction to the Shell – Session 2 1 2.0.0.3.2 Introduction to the Shell – Session 2 · Permissions · Users.

– Introduction to the Shell 10/1/2015 Introduction to the Shell – Session Introduction to the Shell – Session 2 · Permissions · Users.

Similar presentations

Ads by Google