1. Overview
It is the security best practice that the root user is not recommend to login to the system whether from console or remotely. It is recommended to use normal user to login to the system and use command “sudo” to perform the task that required root privilege.
The command “sudo” is used to delegate authority to the specific normal users or groups the ability to run commands as root and logs all commands executed and failed access attempts to file for security auditing. The log is in “/var/log/secure” for Red Hat, Fedora, and CentOS or in file “/var/log/auth.log” for Ubuntu and Debian.
This article will demonstrate how to configure sudoers for authority delegation in Debian 8 Linux but it should be applicable for other Linux Operating System (OS) too.
2. Prerequisites
In this article, it is presumed that:
a. You have already install Debian 8.4, Jessie, server up and running. In case that you don’t, you would probably like to read this link. Installing Debian OS With Logical Volume Manager (LVM)
b. You have the internet connection in place.
c. You have done the primary configuration that this needed after a fresh installation of Debian 8 as in the following link. Debian 8.x Initial Server Configuration
3. Installing Sudo Command
Mostly now all Linux distributions do not have the sudo utility installed by default even in Debian 8. Use the following commands to install command sudo.
On Debian and Ubuntu
#apt-get install sudo
On Red Hat, Fedora, and CentOS
#yum install sudo
4. What Is Command visudo?
The configuration of command “sudo” is a file /etc/sudoers. It is a recommend to use command “visudo” to edit file “/etc/sudoers” instead of using other text editor. The reason is improper syntax in the file “/etc/sudoers” will leave you with a system where it is impossible to obtain elevated privileges. The command “visudo” can validates the syntax of the file upon saving and prevents configuration errors from blocking sudo operations.
By default the editor of command “visudo” in Debian 8 is nano but you can change it to your favorite one with the following command. Let change to vim text editor by enter number 3 as the selected option.
#update-alternatives --config editor There are 3 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/nano 40 manual mode 2 /usr/bin/vim.basic 30 manual mode 3 /usr/bin/vim.tiny 10 manual mode Press enter to keep the current choice[*], or type selection number: 3 update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/editor (editor) in manual mode
5. Creating Users And Group
Since command “sudo” provides delegation to a normal user or a group of normal users, we need to create users and groups and these users and groups will be used in suders configuration. Then, they will be able to use the command “sudo” from their user accounts to execute root commands without logging in to root user account.
Create a group name “sysadmin” for contents normal user accounts using the command “groupadd” as below.
#groupadd sysadmin
Use command “adduser” to create a new user account name “tom”.
#adduser tom
Then, add user account name “tom” to an existing group name “sysadmin” with command “äddgroup” as below.
#addgroup tom sysadmin
Create another user account name “jerry” with command “useradd” as the following.
#adduser jerry
Then, add user account name “jerry” to an existing group name “sysadmin” with command “äddgroup” as below.
#addgroup jerry sysadmin
Finally, verify the account members in group name “sysadmin” as the following.
#cat /etc/group | grep sysadmin sysadmin:x:1001:tom,jerry
Normally, after created a user we need to set a password for that particular user. In Linux all user passwords are stored in file “/etc/shadow”. Therefore, it is absolutely possible to copy a user password from one system to another system.
For instance, if there is a user name “tom” on the server with host name “dcvp-web01” and password “tom@123″and we want to have same password for user account name “tom” on another server name “dcvp-web02”, we do as the following.
On the server with host name “dcvp-web01″ execute the following command and copy the result to past on another server with host name”dcvp-web02”
root@dcvp-web01:~# cat /etc/shadow | grep tom tom:$6$jzmfibcU$YaqaWI8s3qgWMSwL7VKM1.zUNKvy9.KDz/A9mbSPYBxM1VZKYIDG8pcAdqrQQurlhK9Asz5z6MMw4MBcOtRod.:17190:0:99999:7:::
On the server with host name “dcvp-web02” edit file “/etc/shadow” and replace the line starting with the word “tom” with the text that we had copied from server with host name “dcvp-web01” in above step.
root@dcvp-web02:~# vim /etc/shadow tom:$6$jzmfibcU$YaqaWI8s3qgWMSwL7VKM1.zUNKvy9.KDz/A9mbSPYBxM1VZKYIDG8pcAdqrQQurlhK9Asz5z6MMw4MBcOtRod.:17190:0:99999:7:::
Now user “tom” should be able to login to server “dcvp-web02” with the password exactly the same as his password on server “dcvp-web02”.
6. Creating Aliases in Sudoers
In “sudoers” file, we can set aliases to create a group to contents the users without creating this group in the systems. It is a recommend approach when assigning a privilege for a group with sudoers. It is because this approach we can customize the groups member easier then creating a group in the system. A group names must be capital letter.
Using alias to create a group name “SYSADMIN” with two members in , tom and jerry, as the the following.
#visudo User_Alias SYSADMIN = tom, jerry
7. Understand File /etc/sudoers Syntax
7.1 User Privilege Syntax
The following is user privilege syntax to be configured in file “/etc/sudoers”:
USER HOSTNAME=(RUNASUSER:RUNASGROUP) COMMAND
- USER: Specify a name of normal user
- HOSTNAME: Refer to the host name of the system where this rule applies.
- RUNASUSER: Refer to the user account to be run by USER.
- RUNASGROUP: Refer to the group to be run by USER.
- COMMAND: Specify the commands to be delegated to USER.
7.2 Group Privilege Syntax
The following is system group privilege syntax to be configured in file “/etc/sudoers”. The character “%” indicates the system group names.
%SystemGroup HOSTNAME=(RUNASUSER:RUNASGROUP) COMMAND
- SystemGroup: Refer to the group that is created in the system.
USERALIAS HOSTNAME=(RUNASUSER:RUNASGROUP) COMMAND
- USERALIAS: Refer to the group that is created by “User_Alias” setting in file “/etc/sudoers”.
8. Delegation Commands Authority
8.1 Delegate to User
Let give “tom” the privilege to restart and view the status of SSH service. Login as root user, execute command “visudo”, and edit the configuration file as the following.
#visudo tom ALL=(ALL:ALL) /etc/init.d/ssh restart, /etc/init.d/ssh status
Next login with user “tom” and try to execute those allowed commands above. We can try to execute command ” /etc/init.d/ssh restart” first. User “tom” needs to use the command “sudo” to execute the allowed commands above as root user. Command “sudo” requires users to authenticate themselves with their own password. Once a user has been authenticated, the command will be executed successfully.
tom@dcvp-web02:~$ sudo /etc/init.d/ssh restart sudo: unable to resolve host dcvp-web02 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for tom: [ ok ] Restarting ssh (via systemctl): ssh.service.tom@dcvp-web02:~$
Next try to execute command “/etc/init.d/ssh status” and the result would look as the following.
tom@dcvp-web02:~$ sudo /etc/init.d/ssh status [sudo] password for tom: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled) Active: active (running) since Tue 2017-01-24 20:59:47 ICT; 28min ago Main PID: 1281 (sshd) CGroup: /system.slice/ssh.service ├─ 933 sshd: root@pts/0 ├─ 935 -bash ├─1281 /usr/sbin/sshd -D ├─1432 sshd: tom [priv] ├─1434 sshd: tom@pts/1 ├─1435 -bash ├─1467 sudo /etc/init.d/ssh status ├─1476 /bin/sh /etc/init.d/ssh status └─1484 /bin/systemctl status ssh.service tom@dcvp-web02:~$
If we try to run any other commands which has not been allowed in file “/etc/sudoers”, we will get an error message as the following.
tom@dcvp-web02:~$ sudo /etc/init.d/ssh stop Sorry, user tom is not allowed to execute '/etc/init.d/ssh stop' as root on dcvp-web02. tom@dcvp-web02:~$
In some cases we might need to delegate any of root commands to a specific user. In our case now let delegate any of root commands to user “jerry”. Login as root user, execute command “visudo”, and edit the configuration file as the following.
#visudo jerry ALL=(ALL:ALL) ALL
When all of the root commands had been delegated to user “jerry”, this user is also possible to execute any commands in the root shell. To switch from user “jerry” shell to root shell we need to run command “sudo -s”. User “jerry” need to authenticate himself with his password first before successfully switch to root shell.
jerry@dcvp-web02:~$ sudo -s We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for jerry: root@dcvp-web02:/home/jerry#
If you don’t want to type your password for many times, in file “/etc/sudoers” there is an option to accomplish this. Login as root user, execute command “visudo”, and modify the configuration file as the following.
#visudo jerry ALL=(ALL:ALL) NOPASSWD: ALL
So now whenever user “jerry” trying to switch to user root shell, there is not more authentication himself with his password required.
jerry@dcvp-web02:~$ sudo -s root@dcvp-web02:/home/jerry#
8.2 Delegate to Group
The configuration to give a group the privilege is almost identical to the configuration that give a user privilege. There are two possible options to assign a group the privileges. Option 1 assign the privilege to the system group (sysadmin) and option 2 assign privilege to user alias group (SYSADMIN).
Login as root user, execute command “visudo”, and edit the configuration file as the following to give a group the privilege to restart and view the status of SSH service.
Option 1:
#visudo %sysadmin ALL=(ALL:ALL) /etc/init.d/ssh restart, /etc/init.d/ssh status
Option 2:
#visudo SYSADMIN ALL=(ALL:ALL) /etc/init.d/ssh restart, /etc/init.d/ssh status
Next try to login with any users in the above group and try to execute those allowed commands above. We can try to execute command ” /etc/init.d/ssh restart” first with user “jerry”.
jerry@dcvp-web02:~$ sudo /etc/init.d/ssh restart [sudo] password for jerry: [ ok ] Restarting ssh (via systemctl): ssh.service. jerry@dcvp-web02:~$
After that we can try to login with user “tom” and try to execute command ” /etc/init.d/ssh status” and the result would look as the following.
tom@dcvp-web02:~$ sudo /etc/init.d/ssh status [sudo] password for tom: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled) Active: active (running) since Wed 2017-01-25 21:27:51 ICT; 16min ago Main PID: 981 (sshd) CGroup: /system.slice/ssh.service ├─ 875 sshd: root@pts/0 ├─ 877 -bash ├─ 981 /usr/sbin/sshd -D ├─1034 sshd: tom [priv] ├─1036 sshd: tom@pts/1 ├─1037 -bash ├─1052 sudo /etc/init.d/ssh status ├─1060 /bin/sh /etc/init.d/ssh status └─1068 /bin/systemctl status ssh.service Jan 25 21:27:51 dcvp-web02 systemd[1]: Starting OpenBSD Secure Shell server... Jan 25 21:27:51 dcvp-web02 systemd[1]: Started OpenBSD Secure Shell server. tom@dcvp-web02:~$
Let see what happen when we try to run any other commands which has not been allowed in file “/etc/sudoers”, we will get an error message as the following.
tom@dcvp-web02:~$ sudo /etc/init.d/ssh stop Sorry, user tom is not allowed to execute '/etc/init.d/ssh stop' as root on dcvp-web02. tom@dcvp-web02:~$
If want to delegate any of root commands to a group, login as root user, execute command “visudo”, and edit the configuration file as the following.
Option 1:
#visudo %sysadmin ALL=(ALL:ALL) ALL
Option 2:
#visudo SYSADMIN ALL=(ALL:ALL) ALL
Let select the user account name “tom” in the group to trying to switch to user root shell and the result would look as the following.
tom@dcvp-web02:~$ sudo -s [sudo] password for tom: root@dcvp-web02:/home/tom#
We can try to configure “/etc/sudoers” not to require a password when users in group trying to switch to root shell. Login as root user, execute command “visudo”, and modify the configuration file as the following.
Option 1:
#visudo %sysadmin ALL=(ALL:ALL) NOPASSWD: ALL
Option 2:
#visudo SYSADMIN ALL=(ALL:ALL) NOPASSWD: ALL
Try to switch from user “tom” shell to root shell, there is not more authentication his password required now.
tom@dcvp-web02:~$ sudo -s root@dcvp-web02:/home/tom#
9. Conclusion
Now you should be able to delegate root privilege to the certain normal users or groups. It should be the time to disable user root account to login remotely with SSH and use normal user instead. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
