Hacking with Sudo


Throughout this book we have used the sudo command for running commands as root. Sudo allows you to run a command with root privileges. The default installation of Ubuntu includes the Sudo command (sudo) and gives the default user account access to this command. If you need something to run as root, you can use sudo. A related command, sudoedit, allows you to edit a file as root. For example, to edit the root-only file /var/spool/anacron/ cron.daily, you can use wither of the following commands:

 sudo vi /var/spool/anacron/cron.daily sudoedit /var/spool/anacron/cron.daily 
Tip 

The sudoedit command uses the editor defined in the $EDITOR environment variable. If this editor is not defined, the nano editor is used. See "Tuning the Shell" in Chapter 2 for setting the $EDITOR variable.

image from book
Sudo Coup

When Unix was young (circa 1970), administrators needed a way to change between user access privileges. This was accomplished with the su command. Although originally designed to switch user access, it was mainly used to change privileges from a regular user to root. (The su command is sometimes called the super-user command for this reason.)

There are a couple of huge risks with using su to run commands as root. Most notably, all commands are executed with root privileges. Many times, only one command within a long list of commands really needs root access. Also, when a terminal is logged in as root, users may forget which user they are running as. Accidentally deleting files from a directory as root can be much more devastating than doing so as a regular user.

Sudo was created to limit the commands that can run as root. Rather than changing all privileges, only the privileges for a specific command are changed. Furthermore, Sudo can even limit which commands can be run as root. When the command completes, you are back to your regular user access. This way, only the required steps run as root, and you won't accidentally leave a terminal logged in a root.

Although very old Unix systems still rely on su to change access levels, it is being forcefully replaced by sudo. Furthermore, in most BSD and Linux distributions (including Ubuntu), Sudo has become standard for using root privileges. Although the su command is included with the Ubuntu installation, you cannot use it to run commands as root unless you first set a root password using sudo passwd root.

image from book

Adding Users to Sudo

The configuration file for sudo is /etc/suders. This lists who can run commands as root, which commands they can run, and any configuration preferences. Listing 10-1 shows the default /etc/sudoers file. Although this file can be edited using sudo vi /etc/sudoers or sudoedit /etc/sudoers, this is not recommended. Instead, the command sudo visudo (short for vi sudo) is the preferred approach. The visudo command ensures that only one person edits the file at a time. It also checks for syntax errors before installing the new file. (The last thing you need is to corrupt /etc/sudoers and lose the ability to run sudo for fixing the problem.)

The default /etc/sudoers file gives access to everyone who is part of the admin group. Non-admin users are blocked from running commands as root. If you want to add someone to the admin group, use:

  1. Use the vigr command to edit the /etc/groups file.

     sudo vigr 
  2. The /etc/groups file lists each group name, group ID number, and a comma-separated list of users. Search for the line that begins with admin. It should list one account name (your default Ubuntu account). For example, my default account name is neal and the line says:

     admin:x:112:neal 
  3. Add the new user name to this line. Use a comma to separate usernames. For example, if I want to add the user marc to this line, I would have:

     admin:x:112:neal,marc 
  4. Save your changes and quit the editor.

Note 

Changes to /etc/groups do not propagate to running applications. If the user is currently logged in, he or she will need to log out before noticing the group changes.

If you want to give a user Sudo access without adding them to a group, then you can add them as a privileged user.

  1. Edit the /etc/suderers file using sudo visudo.

  2. Look for the line that says root ALL=(ALL) ALL.

  3. Create a similar line with the user's account name. For example, if I want to give the account "marc" access, I will use:

     root    ALL=(ALL) ALL marc    ALL=(ALL) ALL 

    This addition says that the users "root" and "marc" can use sudo and can run any command with root privileges.

  4. Save your changes and exit the visudo command.

Listing 10-1: The Default /etc/sudoers File

image from book
     # /etc/sudoers     #     # This file MUST be edited with the 'visudo'     #     # See the man page for details on how to write a sudoers file.     # Host alias specification     # User alias specification     # Cmnd alias specification     # Defaults     Defaults        !lecture,tty_tickets,!fqdn     # User privilege specification     root    ALL=(ALL) ALL     # Members of the admin group may gain root privileges     %admin ALL=(ALL) ALL 
image from book

Tweaking other Sudo Options

The default sudo command has three options enabled: !lecture, tty_tickets, and !fqdn. These options are flags-the ! in front of any flag disables the option. Other options can be added that include values. All the options belong on the Defaults line in the /etc/suders file (use sudo visudo to edit this file). Some command options that you might want to tweak include:

  • lecture-When this flag is enabled, the sudo command will display a warning about running commands as root. This can be useful if there are lots of administrators on a system. However, people usually ignore the warning. The default installation disables the lecture message: !lecture.

  • timestamp_timeout-This option lists the number of minutes before sudo requires you to re-enter your password. If you are running many sudo commands in a row, then it can become very inconvenient to re-enter your password after every command. The default configuration is 15 minutes (timestamp_timeout=15)-if your last sudo command was executed more than 15 minutes ago, then you will need to re-enter your password to run sudo. Setting the value to zero will always prompt for a password; setting the value to a negative number disables the timeout. If you are in a very sensitive environment, then you may want to lower this value (or set it to zero).

  • tty_tickets-If you have lots of windows open, then you will notice that you need to enter your password the first time you run sudo in any window. This is due to the tty_tickets flag-every terminal (tty) has its own sudo environment. If you disable this flag (!tty_tickets), then entering your password for sudo in one window will stop the sudo password prompts in all other windows.

  • fqdn-When host names are used in the sudoers file, this flag specifies the use of fully qualified domain names (fqdns).

  • passwd_tries-This sets how many password attempts the user gets before sudo fails. The default is passwd_tries=3.

  • insults-This is a fun flag. If the user enters in a bad password, then sudo will generate a random message. (The default is !insults.) For example:

     $ sudo id Password: [wrong] Just what do you think you're doing Dave? Password: [wrong] It can only be attributed to human error. Password: [wrong] My pet ferret can type better than you! sudo: 3 incorrect password attempts 
Tip 

There are many other advanced configuration options including logging and user-based restrictions. If you have specific needs, look at the manual for sudoers (man sudoers).

Becoming Root

Although the Ubuntu security model has all administrative commands issued through sudo, there are some times when you really would be better off with a command prompt as root. Fortunately, there are many ways to accomplish this with sudo. A few examples:

 sudo -s          # run a shell as root sudo bash -o vi  # run a specific shell as root sudo -i          # set root's initial login environment sudo su - root   # become root and run root's login environment 

In the first two cases, the shell runs as root, but environment variables (for example, $HOME) are inherited. In the other two cases, the environment is replaced with root's real environment settings.

If you really need to be able to login as root, then you can use sudo passwd root to give the root account a password. As soon as you set the password, the root account can log in. You can always undo this change with sudo passwd -l root to lock the account.

Warning 

Enabling root logins is usually a bad idea. Logins give a trail of accountability. If someone logs in without a personalized account, then there is no way to identify the person who really logged in. sudo gives an audit trail in /var/log/auth.log (even though users with sudo access have the ability to blow away the logs).



Hacking Ubuntu
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: 047010872X
EAN: 2147483647
Year: 2004
Pages: 124
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net