less is more (security)

run as little software as you absolutely need – uninstall/disable all services you don’t need.

less software = less lines of mistaken code = less security flaws.

if you need a software or service run it as non-root user – so if it gets buffer-overflowed (hijacked) and remote-code run on your cpu … atleast it would not be run with root-privileges – limiting the damage.

it’s not a good idea to run all sorts of services and tasks as root with maximum privileges.

allows user bob to use sudo – meaning start temporary processes with root-privileges, by adding him to the group “sudo” or “wheel”

usermod -a -G sudo bob; # debian8

usermod -a -G wheel bob; # Suse12 / CentOS7 / RedHat

su; # become root

useradd -m bob; # add user bob to the system
passwd bob; # give him a password

# sudo allows to run processes as a different user
sudo -u bob sleep 30 & ps uax|grep sleep

root 1335 0.0 0.3 6436 3768 pts/0 S 11:48 0:00 sudo -u bob sleep 30
 bob 1339 0.0 0.0 3744 536 pts/0 S 11:48 0:00 sleep 30

usermod -a -G sudo bob; # debian8: add user bob to group sudo -> allows user bob to run (hopefully temporary) processes with root-privileges

usermod -a -G wheel bob; # under suse12 or centos7 this group is called "wheel"

under suse12 you will have to:

1. uncomment this line:

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

2. comment out those two lines:

# Defaults targetpw # ask for the password of the target user i.e. root
# ALL ALL=(ALL) ALL # WARNING! Only use this together with ‘Defaults targetpw’!

… or it will ask bob to input root’s password if he runs for example “sudo bash”.

For more detailed specification of the privileges of bob, instead of adding him to the group sudoers you can:

sudo visudo; # open up the sudoers config file, this also does syntax-checking

>>> /etc/sudoers: syntax error near line 15 <<<
What now?

type “e” and hit enter to re-edit the file.

vim /etc/sudoers; # you could also do those changes “manually”, but without the syntax-checking

and right below

# User privilege specification
root ALL=(ALL:ALL) ALL

bob ALL=(root) /usr/sbin/useradd, /usr/bin/passwd, !/usr/bin/passwd root

ESC :wq! # force save and quit in vim

what does that line mean?

bob ALL=(root)

bob may sudo to run processes as root (not as any other user)

what follows is a ,comma,separated,list of commands that bob is allowed to run

!/and/some/programs/he/is/NOT/allowed/to/run

(whitelist-blacklist)

bob should now be allowed to add a user – without being member of group sudo or wheel

sudo /usr/sbin/useradd -m jo; # try it 😀 should work

# wait for 5 minutes until sudo password-caching expired

# or you will get “passwd: You may not view or modify password information for jo.”

sudo /usr/bin/passwd jo; # asign password to newly created user jo, should work too

another example:

%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart

# will allow admins to use apt-get install or apt-get update or apt-get upgrade

# will allow admins to restart apache2, without even asking for a password

id of the super-user-group:

root@Debian8:/# cat /etc/group|grep sudo
sudo:x:27:

[root@CentOS7]# cat /etc/group|grep wheel
wheel:x:10:

suse12:/# cat /etc/group|grep wheel
wheel:x:10:

manpage: sudo.man.txt

can’t resolve hostname

if you get strange error: two things to check (assuming your machine is called my-machine, you can change this as appropriate):

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <ADD_YOURS_HERE> 
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <ADD_YOURS_HERE>

admin