------------------------------------------------------------------------------- SuDo Sudo is a replacement for the older "su" command, which has configuration files that allow yoy to specify exactly what commands specific users can run as root, or even as some other user. A password is asked to confirm the users identity, unless flagged to no be needed (such as from a script) Commands, Users, and Hosts can be grouped together, and even defined according to unix groups. And if multiple sudo commands are run in quick succession, the user is not asked to re-authenticate themselves (ask password). At least for a few minutes. Example... =======8<--------CUT HERE---------- # # Define what environment is to be passed (mostly dispaly and language) # Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # Allow root to run any commands anywhere as any one! # ,--- User or group or users able to run command # | ,--- Hosts the command is allowed to run on # | | ,--- The users the command can be run as (optional) # | | | ,--- The command to run # V V V V root ALL=(ALL) ALL # user "operator" can reboot or poweroff the machine (without a password) operator ALL= NOPASSWD: /usr/bin/reboot, /usr/bin/poweroff =======8<--------CUT HERE---------- The main configuration file ("/etc/sudoers") is edited using visudo Or a sub-configuration file using visudo -f /etc/sudoers.d/{config} When a command is run, the path to the command (according to the PATH environment variable) much match the full path given in the sudo configuation. ------------------------------------------------------------------------------- List sudo commands... sudo -l will list teh suod commands you have but it is unformated This reformats it to make it more readable sudo_list() { sudo -l "$@" | sed 's/\([:,]\) */\1\n\t/g'; } As root, to list a specific users commands use sudo -l -U {user} sudo_list -U {user} ------------------------------------------------------------------------------- Setting a password helper Sudo has a -A option that will let it ask a program set by $SUDO_ASKPASS environment varable, for the password. However if this environment variable is not set, it will generate an error. sudo: no askpass program specified, try setting SUDO_ASKPASS Warning this leaves a zombie process on RH6, as sudo does not 'wait' on The child process after it has exited! Arrggghh... Also it disables the caching of user credential (prevent asking password for multiple sudo commands), but that is okay if the user is only using sudo to get a root shell. Example... =======8<--------CUT HERE---------- root_sudo() { echo "Root (sudo) type your own password..." if [ "X$SUDO_ASKPASS" != "X" ]; then # personal "askpass" program? # The '-A' gets sudo to use the "$SUDO_ASKPASS" program for password sudo -A bash -c "HOME=$HOME exec bash --login" else sudo bash -c "HOME=$HOME exec bash --login" fi } root() { history -a # append 'new' history to HISTFILE for the root shell root_sudo # call the appropriate "become root" method history -c; history -r # clear and re-read history from history file } SUDO_ASKPASS=systemd-ask-password =======8<--------CUT HERE---------- User can now use "root" to get a root shell, with "systemd-ask-password" printing 'stars' as feedback during the password reading. WARNING: "systemd-ask-password" can leave the TTY in a bad state. Here is a wrapper for it. =======8<--------CUT HERE---------- #!/bin/sh # use the systemd to ask for a password with echoed 'stars' # Warning "sudo" with interrupt - can leave the TTY in a bad state! # Thus I save and restore the TTY settings stty_save=`stty -g` trap 'stty "$stty_save"' EXIT /bin/systemd-ask-password --timeout=0 "${1:-Password: }" exit $? =======8<--------CUT HERE---------- Or use my "askpass_stars" script. https://antofthy.gitlab.io/software/#askpass_stars ------------------------------------------------------------------------------- Flaws and Gotcha's A command on its own can run with ANY argument! For example if you allow mount, then user can mount anything, from anywhere, with any mount options. That means they can export a file system from a some other system they have root on, with a suid program, and mount it, letting them get a root shell. =======8<-------- test ALL=(ALL) /bin/cat =======8<-------- test> cat /etc/shadow # "test" user can look at ANY file! ... Command using '*' as an argument Sudo does not parse the command like a shell, and a '*' means any character as such it can expand to a space separated set of any argument the user likes. Including other commands! This can be considered a MAJOR configuration flaw. Watch out for commands that can run other commands (like vi and visudo) =======8<-------- # User can run root shell! test ALL=(ALL) /bin/bash # you may as well have allow this instead! #test ALL=(ALL) ALL =======8<-------- NOT-user fails (reported)... CVE-2019-14287 https://access.redhat.com/security/cve/cve-2019-14287 =======8<-------- test ALL=(ALL, !root) /usr/bin/id =======8<-------- test> sudo -u -1 id # id can run as root using a user of -1 uid=0(root) gid=0(root) groups=0(root) ------------------------------------------------------------------------------- Only run if script has not changed For scripts the user may edit, set a checksum hash (either hex or base64), to ensure they have not changed it. oracle ALL=NOPASSWD: sha256:9fdc94db24772bbba87dba27c4aacf66db75f6e116fd58e2e04f3f4cd4428137 /ora/app/19.0.0/grid/root.sh A list of different variants can be comma seperated Hash generation... Hex... openssl dgst -sha224 /bin/ls SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 Base64... openssl dgst -binary -sha224 /bin/ls | openssl base64 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== -------------------------------------------------------------------------------