Download presentation
Presentation is loading. Please wait.
1
Overview – SOE Sudo November 2015
2
What is SOE Sudo? Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. Users and commands can be defined in sudo configuration file /etc/sudoers Sudo access can be monitored by /var/[adm/log]/sudo.log (Default path) Allows users to run programs with the security privileges of another user A highly configurable tool Allows for Least Privilege methodology Logs each command run
3
Why do you Need Sudo? UNIX root account is all or nothing
Want everyone to have the root password? Want to have to change it every time one of those folks leave? Want to give selective root access by user/machine/command? Want to know what someone did as root? Can also be used to control others users ... but we don`t use that yet UnixSOE Enterprise Suite v10.0 Sudo can help you with all of these dilemma`s!
4
SOE Sudo command line options
-b (background) : To run the given command in the background -E (preserve environment) : user wishes to preserve their existing environment variables -h (help) option causes sudo to print a short help message to the standard output and exit -k (kill) option to sudo invalidates the user's cached credentials -n (non-interactive) : This option prevents sudo from prompting the user for a password the -l (list) option will list the allowed (and forbidden) commands for the invoking user on the current host The -s (shell) : option runs the shell specified by the SHELL environment variable -v (validate) option : sudo will update the user's cached credentials, authenticating the user's password if necessary. The -- option indicates that sudo should stop processing command line arguments
5
Examples of SOE sudo Execute ‘su’ command using Sudo
$ /opt/soe/local/bin/sudo su To get a file listing of an unreadable directory: $ /opt/soe/local/bin/sudo ls /usr/local/protected To edit the index.html file as user www $ /opt/soe/local/bin/sudo -u www vi ~www/htdocs/index.html To shutdown a machine: $ /opt/soe/local/bin/sudo shutdown -r +15 "quick reboot“ To run an editor as xxx with a different primary group : $ /opt/soe/local/bin/sudo -u xxx -g audio vi ~xxx/sound.txt To view system logs only accessible to root and users in the adm group: $ /opt/soe/local/bin/sudo -g adm view /var/log/syslog To make a usage listing of the directories in the /home partition: $ /opt/soe/local/bin/sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
6
Sample /etc/sudoers #; /etc/sudoers #; Sample sudoers file
#; Host aliases, in the form of subnets or (eek!) hostnames. Host_Alias DPUNET = /16 #; User aliases User_Alias SYSTEM_ADMIN = nancy, drew #; RunAs aliases; what privileges are given to the sudoee Runas_Alias DBA = oracle #; Command aliases. What people can do. Cmnd_Alias SU = /usr/bin/su, /usr/bin/sudo # Defaults specification Defaults syslog=auth,log_year,logfile=/var/log/sudo.log #; Root can do anything w/o a password. root ALL = (ALL) NOPASSWD: ALL #; Nancy can do anything on the private network EXCEPT for su and visudo. nancy PRIVNET = (ALL) ALL,!SU,!VISUDO #; On the shell servers, student can reset passwords except for root's password. STUDENT SHELLSERVER = (ALL) PASSWORD
7
SOE sudo – Supported OS Operating System Version Architecture Sun
Solaris 8 Sun Sparc Solaris 9 Solaris 10 Sun Sparc/x86-64 Architecture Solaris 11 HP-UX HP-UX11i HP PA-RISC HP-UX11i V2 (11.23) HP PA-RISC/ HP Itanium HP-UX11i V3 (11.31) AIX AIX 5.3 IBM pSeries AIX 6.1 AIX 7.1
8
UnixSOE Sudo-1.8.13– What is New?
New features Weak symbols are now used for sudo_warn_gettext() and sudo_warn_strerror() in libsudo_util to avoid link errors when -Wl,--no-undefined is used in LDFLAGS. The --disable-weak-symbols configure option can be used to disable the user of weak symbols. Fixed a bug in sudo's mkstemps() replacement function that prevented the file extension from being preserved in sudoedit. A new mail_all_cmnds sudoers flag will send mail when a user runs a command (or tries to). The behavior of the mail_always flag has been restored to always send mail when sudo is run. New MAIL and NOMAIL command tags have been added to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis. Fixed matching of empty passwords when sudo is configured to use passwd (or shadow) file authentication on systems where the crypt() function returns NULL for invalid salts.
9
Product Support Helpline
Questions & Feedback Product Support Helpline
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.