Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview – SOE Sudo Dec 2013.

Published byGervase Brown Modified over 6 years ago

Similar presentations

Presentation on theme: "Overview – SOE Sudo Dec 2013."— Presentation transcript:

1 Overview – SOE Sudo Dec 2013

2 What is SOE Sudo? Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. Users and commands can be defined in sudo configuration file /etc/sudoers Sudo access can be monitored by /var/[adm/log]/sudolog (Default path) Allows users to run programs with the security privileges of another user A highly configurable tool Allows for Least Privilege methodology Logs each command run

3 Why do you Need Sudo? UNIX root account is all or nothing
Want everyone to have the root password? Want to have to change it every time one of those folks leave? Want to give selective root access by user/machine/command? Want to know what someone did as root? Can also be used to control others users ... but we don`t use that yet UnixSOE Enterprise Suite v8.0 Sudo can help you with all of these dilemma`s!

4 SOE Sudo command line options
-b (background) : To run the given command in the background -E (preserve environment) : user wishes to preserve their existing environment variables -h (help) option causes sudo to print a short help message to the standard output and exit -k (kill) option to sudo invalidates the user's cached credentials -n (non-interactive) : This option prevents sudo from prompting the user for a password the -l (list) option will list the allowed (and forbidden) commands for the invoking user on the current host The -s (shell) : option runs the shell specified by the SHELL environment variable -v (validate) option : sudo will update the user's cached credentials, authenticating the user's password if necessary. The -- option indicates that sudo should stop processing command line arguments

5 Examples of SOE sudo Execute ‘su’ command using Sudo
$ /opt/soe/local/bin/sudo su To get a file listing of an unreadable directory: $ /opt/soe/local/bin/sudo ls /usr/local/protected To edit the index.html file as user www $ /opt/soe/local/bin/sudo -u www vi ~www/htdocs/index.html To shutdown a machine: $ /opt/soe/local/bin/sudo shutdown -r +15 "quick reboot“ To run an editor as xxx with a different primary group : $ /opt/soe/local/bin/sudo -u xxx -g audio vi ~xxx/sound.txt To view system logs only accessible to root and users in the adm group: $ /opt/soe/local/bin/sudo -g adm view /var/log/syslog To make a usage listing of the directories in the /home partition: $ /opt/soe/local/bin/sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"

6 Sample /etc/sudoers #; /etc/sudoers #; Sample sudoers file
#; Host aliases, in the form of subnets or (eek!) hostnames. Host_Alias DPUNET = /16 #; User aliases User_Alias SYSTEM_ADMIN = nancy, drew #; RunAs aliases; what privileges are given to the sudoee Runas_Alias DBA = oracle #; Command aliases. What people can do. Cmnd_Alias SU = /usr/bin/su, /usr/bin/sudo # Defaults specification Defaults syslog=auth,log_year,logfile=/var/log/sudo.log #; Root can do anything w/o a password. root ALL = (ALL) NOPASSWD: ALL #; Nancy can do anything on the private network EXCEPT for su and visudo. nancy PRIVNET = (ALL) ALL,!SU,!VISUDO #; On the shell servers, student can reset passwords except for root's password. STUDENT SHELLSERVER = (ALL) PASSWORD

7 SOE sudo – Supported OS Operating System Version Architecture Sun
Solaris 8 Sun Sparc Solaris 9 Solaris 10 Sun Sparc/x86-64 Architecture Solaris 11 HP-UX HP-UX11i HP PA-RISC HP-UX11i V2 (11.23) HP PA-RISC/ HP Itanium HP-UX11i V3 (11.31) AIX AIX 5.3 IBM pSeries AIX 6.1 AIX 7.1

8 UnixSOE Sudo-1.8.8– What is New?
New features Removed a warning on PAM systems with stacked auth modules where the first module on the stack does not succeed. Sudo, sudoreplay and visudo now support GNU-style long options. The -h (--host) option may now be used to specify a host name. This is currently only used by the sudoers plugin in conjunction with the -l (--list) option. Program usage messages and manual SYNOPSIS sections have been simplified. Sudo's LDAP SASL support now works properly with Kerberos. Previously, the SASL library was unable to locate the user's credential cache. It is now possible to set the nproc resource limit to unlimited via pam_limits on Linux (bug #565) New pam_service and pam_login_service sudoers options that can be used to specify the PAM service name to use. New pam_session and pam_setcred sudoers options that can be used to disable PAM session and credential support. The sudoers plugin now properly supports UIDs and GIDs that are larger than 0x7fffffff on 32-bit platforms. Fixed a visudo bug introduced in sudo where per-group Defaults entries would cause an internal error. If the tty_tickets sudoers option is enabled (the default), but there is no tty present, sudo will now use a ticket file based on the parent process ID. This makes it possible to support the normal timeout behavior for the session.

9 UnixSOE Sudo-1.8.8– What is New (Contd.)?
New features Fixed a problem running commands that change their process group and then attempt to change the terminal settings when not running the command in a pseudo-terminal. Previously, the process would receive SIGTTOU since it was effectively a background process. Sudo will now grant the child the controlling tty and continue it when this happens. The closefrom_override sudoers option may now be used in a command-specified Defaults entry (bug #610). Sudo's BSM audit support now works on Solaris 11. Brazilian Portuguese translation for sudo and sudoers from translationproject.org. Czech translation for sudo from translationproject.org. French translation for sudo from translationproject.org. Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1 which causes issues with some programs. Fixed visudo's -q (--quiet) flag, broken in sudo Root may no longer change its SELinux role without entering a password. Fixed a bug introduced in Sudo where the indexes written to the I/O log timing file are two greater than they should be. Sudoreplay now contains a work-around to parse those files. In sudoreplay's list mode, the this qualifier in fromdate or todate expressions now behaves more sensibly. Previously, it would often match a date that was "one more" than expected. For example, "this week" now matches the current week instead of the following week.

10 Product Support Helpline
Questions & Feedback Product Support Helpline

Download ppt "Overview – SOE Sudo Dec 2013."

Similar presentations

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Linux Users and Groups Management

Linux Users and Groups Management
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.

Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
7/17/2009 rwjBROOKDALE COMMUNITY COLLEGE1 Unix Comp-145 C HAPTER 2.

7/17/2009 rwjBROOKDALE COMMUNITY COLLEGE1 Unix Comp-145 C HAPTER 2.
Introduction to Unix Administration Objectives –to identify the basic concepts of Unix administration Contents –history of Unix –unix vendors and standards.

Introduction to Unix Administration Objectives –to identify the basic concepts of Unix administration Contents –history of Unix –unix vendors and standards.
system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
2.0.0.3 – Introduction to the Shell 10/1/2015 Introduction to the Shell – Session 2 1 2.0.0.3.2 Introduction to the Shell – Session 2 · Permissions · Users.

– Introduction to the Shell 10/1/2015 Introduction to the Shell – Session Introduction to the Shell – Session 2 · Permissions · Users.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.

Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
Managing Processes CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

Managing Processes CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
UNIX Commands. Why UNIX Commands Are Noninteractive Command may take input from the output of another command (filters). May be scheduled to run at specific.

UNIX Commands. Why UNIX Commands Are Noninteractive Command may take input from the output of another command (filters). May be scheduled to run at specific.
Oracle 10g Database Administrator: Implementation and Administration Chapter 2 Tools and Architecture.

Oracle 10g Database Administrator: Implementation and Administration Chapter 2 Tools and Architecture.
There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?

There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.

Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.

Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.
Λειτουργικά Συστήματα - Lab1 Γιάννης Πετράκης. The Operating System  Unix is a layered operating system  The innermost layer is the hardware that provides.

Λειτουργικά Συστήματα - Lab1 Γιάννης Πετράκης. The Operating System  Unix is a layered operating system  The innermost layer is the hardware that provides.
Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.

Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.

Similar presentations

Ads by Google