Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sudoers Meryll Larkin - that's me Why you are here:

Published byHorace Maxwell Modified over 6 years ago

Similar presentations

Presentation on theme: "Sudoers Meryll Larkin - that's me Why you are here:"— Presentation transcript:

1 Sudoers Meryll Larkin - that's me Why you are here:
You do this at work or want to General curiosity - want to learn Your first choice workshop was full To heckle Any burning questions you need answered? I'll make sure to get to them.

2 Sudoers Examples and discussion style workshop
I've seen some bad sudoers files and I know how to do better, but I'm not an “expert” - ok for you to help/suggest Why do we need to write good sudoers files? Your ideas, Examples and analysis/critiques

3 Why Sudoers What do we do if we don't use sudoers?
What role does sudoers play in security? Most common form of bad sudoers?

4 Sudo Aptonym Linux developers knew commands were hard to remember so they tried to make them memorable. Pseudo - masquerading as someone else SU - do = What the SuperUser does

5 Wheel Group What is the wheel group and how is it used?
What is the gid of the wheel group? Does it have to be the “wheel” group?

6 How to think about Sudo Specify what a user or group CAN do
Set limits as to what a user or group CAN'T do (trickier): Because there are so many way to accomplish something in Linux. CLI examples here. Why we would want to do those things

7 Discuss Assorted Sudo Strategies
Per-administrator, additional admin accounts: nuhura, nuhura_adm Shared accounts for shared work root does not have ssh permission, but you need to run remote scripts with root authority difference between su and su - if you can become root, you can become any login.

8 Writing Sudoers Rules Permissions on /etc/sudoers file
aliases & privilege specs in sudoers 4 types of aliases User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias. Default for each alias type what is /etc/sudoers.d/ ?

9 Writing Sudoer Rules, More
principle of least privilege: This is a User Spec (privilege) template: User Host = Command(s) [: Hosts = Cmnd_Spec_List *] Commands (and command Cmnd_Spec_Lists) can be single commands (absolute path is best) or a comma separated list. Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'

10 Writing Sudoer Rules, More 2
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd

11 Developing Rules & Testing
TRY IT!!!! Become an unprivileged user, see if you can do your work. Deputize a dev to show you exactly the steps she takes. Don't test on production machines! Test what you DON'T want to happen as well as what you do!

12 sudo dangers “elevation of privileges” show them
unintentional file deletion or alteration one strategy: greatly restrict who has sudo on Production systems. Allow more sudo access on Dev, Test, and/or Staging hosts.

13 Sudoers, End Thanks for your attention and especially your participation! I created a few scripts so to give you a “sample set” of users so you can try out permissions and how they work on your own laptop or test machine. They should found in the same place where you downloaded this presentation. Happy hacking!

Download ppt "Sudoers Meryll Larkin - that's me Why you are here:"

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Linux Users and Groups Management

Linux Users and Groups Management
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller

1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller
User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.

User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.
User Accounts and Permissions Chapter IV / Part II.

User Accounts and Permissions Chapter IV / Part II.
Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.

Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.
Unix System Administration Rootly Powers Chapter 3.

Unix System Administration Rootly Powers Chapter 3.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
© 2003 By Default! A Free sample background from www.awesomebackgrounds.com Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 

© 2003 By Default! A Free sample background from Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.

Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
CSC 386 – Computer Security Scott Heggen. Agenda A last look at OS Security Comparing Windows to Linux.

CSC 386 – Computer Security Scott Heggen. Agenda A last look at OS Security Comparing Windows to Linux.
CMSBrownBag,05/29/2007 B.Mangano How to “use” CMSSW on own Linux Box and be happy In this context “use” means: - check-out pre-compiled CMSSW code - run.

CMSBrownBag,05/29/2007 B.Mangano How to “use” CMSSW on own Linux Box and be happy In this context “use” means: - check-out pre-compiled CMSSW code - run.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 

Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?

There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.

Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.

Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.

Similar presentations

Ads by Google