| Deployment GuidePart I. Basic System ConfigurationThis part covers basic system administration tasks such as keyboard configuration, date and time configuration, managing users and groups, and gaining privileges. Chapter 1. Keyboard ConfigurationThis chapter describes how to change the keyboard layout, as well as how to add the Keyboard Indicator applet to the panel. It also covers the option to enforce a typing break, and explains both advantages and disadvantages of doing so. 1.1. Changing the Keyboard LayoutThe installation program allowed you to configure a keyboard layout for your system. However, the default settings may not always suit your current needs. To configure a different keyboard layout after the installation, use the Keyboard Preferences tool. To open Keyboard Layout Preferences, select ⤍ ⤍ from the panel, and click the Layouts tab. You will be presented with a list of available layouts. To add a new one, click the Add... button below the list, and you will be prompted to chose which layout you want to add. Currently, there are two ways how to chose the keyboard layout: you can either find it by the country it is associated with (the By country tab), or you can select it by the language (the By language tab). In either case, first select the desired country or language from the Country or Language pulldown menu, then specify the variant from the Variants menu. The preview of the layout changes immediately. To confirm the selection, click Add. The layout should appear in the list. To make it the default, select the radio button next to its name. The changes take effect immediately. Note that there is a text-entry field at the bottom of the window where you can safely test your settings. Once you are satisfied, click Close to close the window. By default, changing the keyboard layout affects the active window only. This means that if you change the layout and switch to another window, this window will use the old one, which might be confusing. To turn this behavior off, unselect the Separate layout for each window checkbox. Doing this has its drawbacks though, as you will no longer be able to chose the default layout by selecting the radio button as shown in Figure 1.3, "Selecting the default layout". To make the layout the default, simply drag it at the beginning of the list. 1.2. Adding the Keyboard Layout IndicatorIf you want to see what keyboard layout you are currently using, or you would like to switch between different layouts with a single mouse click, add the Keyboard Indicator applet to the panel. To do so, right-click the empty space on the main panel, and select the option from the pulldown menu. You will be presented with a list of available applets. Scroll through the list (or start typing "keyboard" to the search field at the top of the window), select , and click the Add button. The applet appears immediately, displaying the shortened name of the country the current layout is associated with. To display the actual variant, hover the pointer over the applet icon. 1.3. Setting Up a Typing BreakTyping for a long period of time can be not only tiring, but it can also increase the risk of serious health problems, such as carpal tunnel syndrome. One way of preventing this is to configure the system to enforce the typing break. Simply select ⤍ ⤍ from the panel, click the Typing Break tab, and select the Lock screen to enforce typing break checkbox. To increase or decrease the amount of time you want to be allowed to type before the break is enforced, click the up or down button next to the Work interval lasts label respectively. You can do the same with the Break interval lasts setting to alter the length of the break itself. Finally, select the Allow postponing of breaks checkbox if you want to be able to delay the break in case you need to finish the work. The changes take effect immediately. Next time you reach the time limit, you will be presented with a screen advising you to take a break, and a clock displaying the remaining time. If you enabled it, the Postpone Break button will be located at the bottom right corner of the screen. Chapter 2. Date and Time ConfigurationThis chapter covers setting the system date and time in Red Hat Enterprise Linux, both manually and using the Network Time Protocol ( NTP), as well as setting the adequate time zone. Two methods are covered: setting the date and time using the Date/Time Properties tool, and doing so on the command line. 2.1. Date/Time Properties ToolThe Date/Time Properties tool allows the user to change the system date and time, to configure the time zone used by the system, and to set up the Network Time Protocol daemon to synchronize the system clock with a time server. Note that to use this application, you must be running the X Window System (see Appendix C, The X Window System for more information on this topic). To start the tool, select ⤍ ⤍ from the panel, or type the system-config-date command at a shell prompt (e.g., xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password. 2.1.1. Date and Time PropertiesAs shown in Figure 2.2, "Date and Time Properties", the Date/Time Properties tool is divided into two separate tabs. The tab containing the configuration of the current date and time is shown by default. To set up your system manually, follow these steps: Change the current date. Use the arrows to the left and right of the month and year to change the month and year respectively. Then click inside the calendar to select the day of the month. Change the current time. Use the up and down arrow buttons beside the Hour, Minute, and Second, or replace the values directly.
Click the OK button to apply the changes and exit the application. 2.1.2. Network Time Protocol PropertiesHere you can choose one of the predefined servers, edit a predefined server by clicking the Edit button, or add a new server name by clicking Add. In the Advanced Options, you can also select whether you want to synchronize the system clock before starting the service, and if you wish to use a local time source. Your system does not start synchronizing with the NTP server until you click the OK button at the bottom of the window to confirm your changes. Click the OK button to apply any changes made to the date and time settings and exit the application. 2.1.3. Time Zone PropertiesThere are two common approaches to the time zone selection: Using the interactive map. Click "zoom in" and "zoom out" buttons next to the map, or click on the map itself to zoom into the selected region. Then choose the city specific to your time zone. A red X appears and the time zone selection changes in the list below the map. Use the list below the map. To make the selection easier, cities and countries are grouped within their specific continents. Note that non-geographic time zones have also been added to address needs in the scientific community.
If your system clock is set to use UTC, select the System clock uses UTC option. UTC stands for the Universal Time, Coordinated, also known as Greenwich Mean Time ( GMT). Other time zones are determined by adding or subtracting from the UTC time. Click OK to apply the changes and exit the program. 2.2. Command Line ConfigurationIn case your system does not have the Date/Time Properties tool installed, or the X Window Server is not running, you will have to change the system date and time on the command line. Note that in order to perform actions described in this section, you have to be logged in as a superuser: ~]$ su -Password: 2.2.1. Date and Time SetupThe date command allows the superuser to set the system date and time manually: Change the current date. Type the command in the following form at a shell prompt, replacing the YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month: ~]# date +%D -s YYYY-MM-DD For example, to set the date to 2 June 2010, type: ~]# date +%D -s 2010-06-02 Change the current time. Use the following command, where HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form: ~]# date +%T -s HH:MM:SS If your system clock is set to use UTC (Coordinated Universal Time), add the following option: ~]# date +%T -s HH:MM:SS -u For instance, to set the system clock to 11:26 PM using the UTC, type: ~]# date +%T -s 23:26:00 -u
You can check your current settings by typing date without any additional argument: Example 2.1. Displaying the current date and time ~]$ dateWed Jun 2 11:58:48 CEST 2010 2.2.2. Network Time Protocol SetupAs opposed to the manual setup described above, you can also synchronize the system clock with a remote server over the Network Time Protocol ( NTP). For the one-time synchronization only, use the ntpdate command: Firstly, check whether the selected NTP server is accessible: ~]# ntpdate -q server_address For example: ~]# ntpdate -q 0.rhel.pool.ntp.org When you find a satisfactory server, run the ntpdate command followed by one or more server addresses: ~]# ntpdate server_address... For instance: ~]# ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org Unless an error message is displayed, the system time should now be set. You can check the current by setting typing date without any additional arguments as shown in Section 2.2.1, "Date and Time Setup". In most cases, these steps are sufficient. Only if you really need one or more system services to always use the correct time, enable running the ntpdate at boot time: ~]# chkconfig ntpdate on If the synchronization with the time server at boot time keeps failing, i.e., you find a relevant error message in the /var/log/boot.log system log, try to add the following line to /etc/sysconfig/network: NETWORKWAIT=1
However, the more convenient way is to set the ntpd daemon to synchronize the time at boot time automatically: Open the NTP configuration file /etc/ntp.conf in a text editor such as vi or nano, or create a new one if it does not already exist: ~]# nano /etc/ntp.conf Now add or edit the list of public NTP servers. If you are using Red Hat Enterprise Linux 6, the file should already contain the following lines, but feel free to change or expand these according to your needs: server 0.rhel.pool.ntp.orgserver 1.rhel.pool.ntp.orgserver 2.rhel.pool.ntp.org To speed the initial synchronization up, add the iburst directive at the end of each server line: server 0.rhel.pool.ntp.org iburstserver 1.rhel.pool.ntp.org iburstserver 2.rhel.pool.ntp.org iburst Once you have the list of servers complete, in the same file, set the proper permissions, giving the unrestricted access to localhost only: restrict default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noqueryrestrict 127.0.0.1restrict -6 ::1 Save all changes, exit the editor, and restart the NTP daemon: ~]# service ntpd restart Make sure that ntpd daemon is started at boot time: ~]# chkconfig ntpd on
Chapter 3. Managing Users and GroupsThe control of users and groups is a core element of Red Hat Enterprise Linux system administration. This chapter explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as enabling password aging or creating group directories. 3.1. Introduction to Users and GroupsWhile users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group. Each user is associated with a unique numerical identification number called a user ID ( UID). Likewise, each group is associated with a group ID ( GID). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root, and access permissions can be changed by both the root user and file owner. Additionally, Red Hat Enterprise Linux supports access control lists ( ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about this feature, refer to the Access Control Lists chapter of the Storage Administration Guide. 3.1.1. User Private GroupsRed Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group. User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory. The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group. In environments with multiple users, it is very important to use shadow passwords provided by the shadow-utils package to enhance the security of system authentication files. For this reason, the installation program enables shadow passwords by default. The following is a list of the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems: Shadow passwords improve system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user. Shadow passwords store information about password aging. Shadow passwords allow the /etc/login.defs file to enforce security policies.
Most utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work. The following is a list of utilities and commands that do not work without first enabling shadow passwords: 3.2. Using the User Manager ToolThe User Manager application allows you to view, modify, add, and delete local users and groups in the graphical user interface. To start the application, either select ⤍ ⤍ from the panel, or type system-config-users at a shell prompt. Note that unless you have superuser privileges, the application will prompt you to authenticate as root. 3.2.1. Viewing Users and GroupsThe main window of the User Manager is divided into two tabs: The Users tab provides a list of local users along with additional information about their user ID, primary group, home directory, login shell, and full name. The Groups tab provides a list of local groups with information about their group ID and group members. To find a specific user or group, type the first few letters of the name in the Search filter field and either press Enter, or click the Apply filter button. You can also sort the items according to any of the available columns by clicking the column header. Red Hat Enterprise Linux reserves user and group IDs below 500 for system users and groups. By default, the User Manager does not display the system users. To view all users and groups, select ⤍ to open the Preferences dialog box, and clear the Hide system users and groups checkbox. The Add New User dialog box allows you to provide information about the newly created user. In order to create a user, enter the username and full name in the appropriate fields and then type the user's password in the Password and Confirm Password fields. The password must be at least six characters long. It is advisable to use a much longer password, as this makes it more difficult for an intruder to guess it and access the account without permission. It is also recommended that the password not be based on a dictionary term: use a combination of letters, numbers and special characters. The Login Shell pulldown list allows you to select a login shell for the user. If you are not sure which shell to select, accept the default value of . By default, the User Manager application creates the home directory for a new user in /home/username/. You can choose not to create the home directory by clearing the Create home directory checkbox, or change this directory by editing the content of the Home Directory text box. Note that when the home directory is created, default configuration files are copied into it from the /etc/skel/ directory. Red Hat Enterprise Linux uses a user private group (UPG) scheme. Whenever you create a new user, a unique group with the same name as the user is created by default. If you do not want to create this group, clear the Create a private group for the user checkbox. To specify a user ID for the user, select Specify user ID manually. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because Red Hat Enterprise Linux reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1-499. Clicking the OK button creates the new user. To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user. 3.2.3. Adding a New GroupTo add a new user group, select Add Group from the toolbar. A window similar to Figure 3.3, "New Group" appears. Type the name of the new group. To specify a group ID for the new group, select Specify group ID manually and select the GID. Note that Red Hat Enterprise Linux also reserves group IDs lower than 500 for system groups. Click OK to create the group. The new group appears in the group list. 3.2.4. Modifying User PropertiesTo view the properties of an existing user, click on the Users tab, select the user from the user list, and click from the menu (or choose ⤍ from the pulldown menu). A window similar to Figure 3.4, "User Properties" appears. The User Properties window is divided into multiple tabbed pages: User Data - Shows the basic user information configured when you added the user. Use this tab to change the user's full name, password, home directory, or login shell. Account Info - Select Enable account expiration if you want the account to expire on a certain date. Enter the date in the provided fields. Select Local password is locked to lock the user account and prevent the user from logging into the system. Password Info - Displays the date that the user's password last changed. To force the user to change passwords after a certain number of days, select Enable password expiration and enter a desired value in the Days before change required: field. The number of days before the user's password expires, the number of days before the user is warned to change passwords, and days before the account becomes inactive can also be changed. Groups - Allows you to view and configure the Primary Group of the user, as well as other groups that you want the user to be a member of.
3.2.5. Modifying Group PropertiesTo view the properties of an existing group, select the group from the group list and click from the menu (or choose ⤍ from the pulldown menu). A window similar to Figure 3.5, "Group Properties" appears. The Group Users tab displays which users are members of the group. Use this tab to add or remove users from the group. Click OK to save your changes. 3.3. Using Command Line ToolsTable 3.1. Command line utilities for managing users and groups | Utilities | Description |
|---|
useradd, usermod, userdel | Standard utilities for adding, modifying, and deleting user accounts. | groupadd, groupmod, groupdel | Standard utilities for adding, modifying, and deleting groups. | gpasswd | Standard utility for administering the /etc/group configuration file. | pwck, grpck | Utilities that can be used for verification of the password, group, and associated shadow files. | pwconv, pwunconv | Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords. |
To add a new user to the system, typing the following at a shell prompt as root: useradd [options] username
By default, the useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password: passwd username
Optionally, you can set password aging policy. Refer to Red Hat Enterprise Linux 6 Security Guide for information on how to enable password aging. Table 3.2. useradd command line options | Option | Description |
|---|
-c 'comment' | comment can be replaced with any string. This option is generally used to specify the full name of a user. | -d home_directory | Home directory to be used instead of default /home/username/. | -e date | Date for the account to be disabled in the format YYYY-MM-DD. | -f days | Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires. | -g group_name | Group name or group number for the user's default group. The group must exist prior to being specified here. | -G group_list | List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. | -m | Create the home directory if it does not exist. | -M | Do not create the home directory. | -N | Do not create a user private group for the user. | -p password | The password encrypted with crypt. | -r | Create a system account with a UID less than 500 and without a home directory. | -s | User's login shell, which defaults to /bin/bash. | -u uid | User ID for the user, which must be unique and greater than 499. |
Explaining the Process The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled: A new line for juan is created in /etc/passwd: juan:x:501:501::/home/juan:/bin/bash The line has the following characteristics: It begins with the username juan. There is an x for the password field indicating that the system is using shadow passwords. A UID greater than 499 is created. Under Red Hat Enterprise Linux, UIDs below 500 are reserved for system use and should not be assigned to users. A GID greater than 499 is created. Under Red Hat Enterprise Linux, GIDs below 500 are reserved for system use and should not be assigned to users. The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number. The home directory for juan is set to /home/juan/. The default shell is set to /bin/bash.
A new line for juan is created in /etc/shadow: juan:!!:14798:0:99999:7::: The line has the following characteristics: It begins with the username juan. Two exclamation marks (!!) appear in the password field of the /etc/shadow file, which locks the account. If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user. The password is set to never expire.
A new line for a group named juan is created in /etc/group: juan:x:501: The line created in /etc/group has the following characteristics: It begins with the group name juan. An x appears in the password field indicating that the system is using shadow group passwords. The GID matches the one listed for user juan in /etc/passwd.
A new line for a group named juan is created in /etc/gshadow: juan:!:: The line has the following characteristics: It begins with the group name juan. An exclamation mark (!) appears in the password field of the /etc/gshadow file, which locks the group. All other fields are blank.
A directory for user juan is created in the /home/ directory: ~]# ls -l /hometotal 4drwx------. 4 juan juan 4096 Mar 3 18:23 juan This directory is owned by user juan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied. The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory: ~]# ls -la /home/juantotal 28drwx------. 4 juan juan 4096 Mar 3 18:23 .drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrcdrwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla
At this point, a locked account called juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines. 3.3.2. Adding a New GroupTo add a new group to the system, type the following at a shell prompt as root: groupadd [options] group_name
Table 3.3. groupadd command line options | Option | Description |
|---|
-f, --force | When used with -g gid and gid already exists, groupadd will choose another unique gid for the group. | -g gid | Group ID for the group, which must be unique and greater than 499. | -K, --key key=value | Override /etc/login.defs defaults. | -o, --non-unique | Allow to create groups with duplicate. | -p, --password password | Use this encrypted password for the new group. | -r | Create a system group with a GID less than 500. |
3.3.3. Creating Group DirectoriesSystem administrators usually like to create a group for each major project and assign people to the group when they need to access that project's files. With this traditional scheme, file managing is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory. For example, a group of people need to work on files in the /opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone. As root, create the /opt/myproject/ directory by typing the following at a shell prompt: mkdir /opt/myproject
Add the myproject group to the system: groupadd myproject
Associate the contents of the /opt/myproject/ directory with the myproject group: chown root:myproject /opt/myproject
Allow users to create files within the directory, and set the setgid bit: chmod 2775 /opt/myproject
At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command: ~]# ls -l /opttotal 4drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject 3.4. Additional ResourcesRefer to the following resources for more information about managing users and groups. 3.4.1. Installed DocumentationFor information about various utilities for managing users and groups, refer to the following manual pages: chage(1) - A command to modify password aging policies and account expiration. gpasswd(1) - A command to administer the /etc/group file. groupadd(8) - A command to add groups. grpck(8) - A command to verify the /etc/group file. groupdel(8) - A command to remove groups. groupmod(8) - A command to modify group membership. pwck(8) - A command to verify the /etc/passwd and /etc/shadow files. pwconv(8) - A tool to convert standard passwords to shadow passwords. pwunconv(8) - A tool to convert shadow passwords to standard passwords. useradd(8) - A command to add users. userdel(8) - A command to remove users. usermod(8) - A command to modify users.
For information about related configuration files, see: group(5) - The file containing group information for the system. passwd(5) - The file containing user information for the system. shadow(5) - The file containing passwords and account expiration information for the system.
Chapter 4. Gaining PrivilegesSystem administrators (and in some cases users) will need to perform certain tasks with administrative access. Accessing the system as root is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security. Refer to the Red Hat Enterprise Linux 6 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access. When a user executes the su command, they are prompted for the root password and, after authentication, are given a root shell prompt. Once logged in via the su command, the user is the root user and has absolute administrative access to the system . In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password. Because this program is so powerful, administrators within an organization may wish to limit who has access to the command. One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root: usermod -G wheel <username>
In the previous command, replace <username> with the username you want to add to the wheel group. You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure. Click the menu on the Panel, point to and then click to display the User Manager. Alternatively, type the command system-config-users at a shell prompt. Click the Users tab, and select the required user in the list of users. Click Properties on the toolbar to display the User Properties dialog box (or choose on the menu). Click the Groups tab, select the check box for the wheel group, and then click OK.
After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, you will need to edit the PAM configuration file for su: /etc/pam.d/su. Open this file in a text editor and remove the comment (#) from the following line: #auth required pam_wheel.so use_uid This change means that only members of the administrative group wheel can switch to another user using the su command. The root user is part of the wheel group by default. The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user. The basic format of the sudo command is as follows: sudo <command>
In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount. The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 6 Security Guide. Each successful authentication using the sudo is logged to the file /var/log/messages and the command issued along with the issuer's username is logged to the file /var/log/secure. Should you require additional logging, use the pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth file: session required pam_tty_audit.so disable=<pattern> enable=<pattern> where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users: session required pam_tty_audit.so disable=* enable=root Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs. Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo command. To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section: juan ALL=(ALL) ALL This example states that the user, juan, can use sudo from any host and execute any command. The example below illustrates the granularity possible when configuring sudo: %users localhost=/sbin/shutdown -h now This example states that any user can issue the command /sbin/shutdown -h now as long as it is issued from the console. The man page for sudoers has a detailed listing of options for this file. There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo as described above. Leaving the /etc/sudoers file in its default state gives every user in the wheel group unlimited root access. By default, sudo stores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file: Defaults timestamp_timeout=<value> where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes sudo to require a password every time. If a sudoer's account is compromised, an attacker can use sudo to open a new shell with administrative privileges: sudo /bin/bash
Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed.
4.3. Additional ResourcesWhile programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to sources listed below for more information regarding security and privileged access. Installed Documentationsu(1) - the manual page for su provides information regarding the options available with this command. sudo(8) - the manual page for sudo includes a detailed description of this command as well as a list of options available for customizing sudo's behavior. pam(8) - the manual page describing the use of Pluggable Authentication Modules for Linux.
Online Documentation |
| |
