Making a custom sudoers file

Posted by Dr Savoye at June 01, 2010 2 comments
For a sysadmin, allowing access to sudo is nerve-wracking, particularly if you work in an environment where you seem to be the only one concerned about security, where passwordless accounts are abundant and all users are made administrators for ease of access. This is most common in OS X clusters, as Linux does not permit empty passwords by default. A properly configured sudoers file is very important.

This assumes you have already sorted your users into appropriate groups, such as removing guests from the 'wheel' group.

Defining command and user aliases
The first section to edit will be # Cmnd alias specification. You can define groups of commands such as:

Cmnd_Alias      SYS_COMMANDS      = /sbin/unmount, /sbin/mount

Cmnd_Alias      SERVICES          = /bin/ls, /bin/cat, /sbin/halt, /sbin/reboot,
                                 /sbin/shutdown

Cmnd_Alias      ADMIN_TOOLS       = /usr/bin/passwd, /bin/chmod, /bin/chown, /bin/chgrp

Cmnd_Alias      EDITING           = /usr/bin/vi

Cmnd_Alias      STORAGE           = /sbin/fdisk, /sbin/sfdisk, /sbin/parted,
                                /sbin/partprobe
You can also append options to the commands; for example, creating an alias for /usr/bin/su - Guest, meaning that it is permissible to use sudo su - Guest, but not sudo su - some-other-user.

User aliases operate using the same syntax:
User_Alias      GUESTS  = guest, user, bob
User_Alias      ADMINS  = joe, alice
Limiting and denying commands to users and groups
Next, edit the # User privilege specification section. A % denotes a group, while a string without indicates a user:
# root and 'wheel' group users can run all commands as long as they authenticate
with their passwords
root            ALL       = (ALL) ALL
%wheel          ALL       = (ALL) ALL

# only bob can use storage tools
bob             ALL       = STORAGE

# ADMINS can use chmod, chown, chgrp and passwd, but they can't change root's password
%ADMINS         ALL       = ADMIN_TOOLS !/usr/bin/passwd root

# 'admin' group users can use all commands in the EDITING alias with a password, and
all commands in SYS_COMMANDS and SERVICES without authenticating; but can't use any
other commands
%admin          ALL       = EDITING, NOPASSWD:SYS_COMMANDS,SERVICES

# Guest users, who don't have passwords, can only mount and unmount drives
%guest          ALL       = NOPASSWD:SYS_COMMANDS

# joe can authenticate to use any command in /bin except for chmod, chown, chgrp,
chown and vi, but he can use /bin/find without authenticating (there is no real
usefulness to NOPASSWD in this case)
joe             ALL       = /bin, NOPASSWD:/bin/find, !/bin/chmod, !/bin/chgrp,
                          !/bin/chown, !EDITING

# alice can su to any user except for root, but without flags (su - user is not allowed)
alice           ALL       = /usr/bin/su [!-]*, !/usr/bin/su *root*

# everybody needs to be able to kill a program when it hangs without authenticating
ALL             ALL       = NOPASSWD:/bin/kill

Defining default settings
A few useful Defaults specifications:

# only allow one failed password attempt
Defaults        passwd_tries += "1"

# the message when a user types an incorrect password
Defaults        badpass_message += "And just what do you think you're doing, Dave?"

# this prevents sudo from being used in a script; the user must be logged in
Defaults    requiretty

Read Full Post
Labels: , , ,

Enable root login from LAN only

Posted by Dr Savoye at June 01, 2010 1 comments
Having SSH access to the root account can be catastrophic if someone ever does succeed in breaking into your machine. While the majority of sysadmins turn into rabid wolves upon mention that your machine allows root access, at times it may be necessary.

This should work on any UNIX-based operating system running OpenSSH 4.3p or later. You may determine the version of OpenSSH by using ssh -V.

On Linux, edit /etc/ssh/sshd_config. On Macs, edit /etc/sshd_config. Locate the line that defines PermitRootLogin, uncomment if it is commented out, and change its value to no.

On a separate line, add the following:
Match Address 192.168.2.*,127.0.0.1
      PermitRootLogin yes

This will allow root to login exclusively from your LAN, while denying all attempts from outside.



Tips: Extra security features to go along with this would be:



- Denying usage of 'sudo su'

- Disabling passwordless, guest, or otherwise anauthorized users from using 'su'

- Using the above Match Address syntax to only allow root to login using a publickey, not passwords


Read Full Post































Labels:
,
,
,
























Subscribe to:
Posts (Atom)