GNU Linux -> sudo: allow user to run programs as root administrator temporarily

26.May.2015

Administration / Server, CyberSec / ITSec / Sicherheit / Security / SPAM, Debian, Fedora / RedHat / CentOS, fix errors, GNU-Linux, SUSE

less is more (security)

in compliance with the UNIX K.I.S.S philosophy
- run as little software as absolutely necessary
- stop/uninstall/disable all services not absolutely needed
- less software = less lines of mistaken code = less security flaws = higher probability those semi(?)automatic updates actually work
- run as much software non-root as possible but bare in mind: there are a ton of “privilege escalation” exploits out there, that allow non-root users to become root

how to allow username to use sudo:

meaning start temporary run processes with root-privileges, by adding him to the group “sudo” or “wheel”

# become root
su - root

# deb based distros
usermod -a -G sudo username; # Debian8/10/11,Ubuntu,Arch(untested)

# rpm based distros
usermod -a -G wheel username; # Suse12 / Fedora / CentOS7 / RedHat

# problem: changes to group membership might only be active after reboot or relogin
Ctrl+D; # log off root, become non-root default user
groups; # what groups is the user in?
user cdrom floppy audio dip video plugdev users netdev lpadmin scanner

# also required to edit /etc/sudoers config file
visudo
# why visudo?

“visudo command is a safe and secure way of editing the /etc/sudoers file on UNIX and Linux systems. /etc/sudoers is instumental for gaining privileged access via sudo command.

good idea to take some precautions when editing it, and that’s what visudo does

It locks the sudoers file so it cannot be edited by anyone else simultaneously. It also checks the syntax” (src)

# or manually
vim /etc/sudoers

# rpm based distros: uncomment following line
%wheel ALL=(ALL) ALL

# deb based distros: uncomment following line
%sudo ALL=(ALL:ALL) ALL
# if all users of group wheel should be allowed to run all commands
# without entering a password
%wheel ALL=(ALL) NOPASSWD:ALL

# so reboot
reboot

# after that reboot test if sudo is working
sudo bash
[sudo] password for user:
/home/user# <- yes root shell :)

# run command as different user
useradd -m bob; # add username bob to the system
passwd bob; # give username a password

# sudo allows to run processes as a different user
su - root
sudo -u bob sleep 30 & ps uax|grep sleep
root 1335 0.0 0.3 6436 3768 pts/0 S 11:48 0:00 sudo -u bob sleep 30
bob 1339 0.0 0.0 3744 536 pts/0 S 11:48 0:00 sleep 30

# but it could also be done like
su bob sleep 30 & ps uax|grep sleep

… or it will ask bob to input root’s password if he runs for example “sudo bash”.
For more detailed specification of the privileges of bob, instead of adding him to the group sudoers you can:

sudo visudo; # open up the sudoers config file, this also does syntax-checking

>>> /etc/sudoers: syntax error near line 15 <<<
What now?

type “e” and hit enter to re-edit the file.

vim /etc/sudoers; # you could also do those changes “manually”, but without the syntax-checking

and right below

# User privilege specification
root ALL=(ALL:ALL) ALL

bob ALL=(root) /usr/sbin/useradd, /usr/bin/passwd, !/usr/bin/passwd root

ESC :wq! # force save and quit in vim

what does that line mean?

bob ALL=(root)

bob may sudo to run processes as root (not as any other user)

what follows is a ,comma,separated,list of commands that bob is allowed to run

!/and/some/programs/he/is/NOT/allowed/to/run

(whitelist-blacklist)

bob should now be allowed to add a user – without being member of group sudo or wheel

sudo /usr/sbin/useradd -m jo; # try it 😀 should work

# wait for 5 minutes until sudo password-caching expired

# or you will get “passwd: You may not view or modify password information for jo.”

sudo /usr/bin/passwd jo; # asign password to newly created user jo, should work too

another example:

%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart

# will allow admins to use apt-get install or apt-get update or apt-get upgrade

# will allow admins to restart apache2, without even asking for a password

id of the super-user-group:

root@Debian8:/# cat /etc/group|grep sudo
sudo:x:27:

[root@CentOS7]# cat /etc/group|grep wheel
wheel:x:10:

suse12:/# cat /etc/group|grep wheel
wheel:x:10:

manpage: sudo.man.txt

can’t resolve hostname

if you get strange error: two things to check (assuming your machine is called my-machine, you can change this as appropriate):

That the /etc/hostname file contains just the name of the machine.
That /etc/hosts has an entry for localhost. It should have something like:
```
 127.0.0.1    localhost.localdomain localhost
 127.0.1.1    my-machine
```

If either of these files aren’t correct (since you can’t sudo), you may have to reboot the machine into recovery mode and make the modifications, then reboot to your usual environment.

sudo lag – takes long time until command starts to run

this is actually a network problem 😀

so sudo uses unix sockets…. 😀

https://unix.stackexchange.com/questions/132527/slow-sudo-because-of-socket-connections

Found here User “rohandhruva” on there gives the right answer:
This happens if you change the hostname during the install process.

To solve the problem, edit the file /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <ADD_YOURS_HERE> 
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <ADD_YOURS_HERE>

https://www.startpage.com/do/dsearch?query=sudo+lag&cat=web&pl=opensearch&language=deutsch

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin