20160804 Linux and Unix sudo command

 

 

 

Linux and Unix sudo command

 

 

 

 

 

 

 

INDEX

---------------------------------------------------

1. sudo CMD

1.1 sudo 명령어 대해서

1.2 sudo 명령어 문법

1.3 sudo 설명

1.4 sudo 명령어 옵션

1.5 sudo 명령어 예제

2. /etc/sudoers file

2.1 /etc/sudoers 파일에 대해서

2.2 리눅스 배포판의 /etc/sudoers 파일 비교

3. sudo 실습

---------------------------------------------------

 

 

 

■ sudo 명령어의 필요성

 

user01(백업: dump/restore CMD) ----> su CMD ---> root 사용자(dump/restore CMD)

 

user01(백업: dump/restore CMD) ----> sudo CMD --->

/etc/sudoers

user01 ALL=dump restore

 

■ sudo 명령어 체계를 사용하면 생기는 장점

(ㄱ) 일반사용자(EX: user01)가 작업시 관리자(EX: root)의 암호를 알 필요가 없다.

(ㄴ) 일반사용자가 관리자 처럼 작업할 수 있는 명령어의 범위가 지정된다.

 

 

1. sudo CMD

 

(1) sudo 대해서

 

sudo ("superuser do") allows a user with proper permissions to execute a command as another user, such as the superuser.

 

 

(2) sudo 문법

 

sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] |

[ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ]

[ -u username|#uid ] command

 

 

(3) sudo 설명

 

sudo allows a permitted user to execute a command as another user, according to specifications in the /etc/sudoers file. The real and effective uid and gid of the issuing user are then set to match those of the target user account as specified in the passwd file.

 

By default, sudo requires that users authenticate themselves with a password. By default this is the user's password, not the root password itself.

 

Once a user has been authenticated, a timestamp is recorded and the user may use sudo without a password for a short period of time (5 minutes, unless configured differently in sudoers). This timestamp can be renewed if the user issues sudo with the -v flag.

 

If a user not listed in sudoers tries to run a command using sudo, it is considered an unsuccessful attempt to breach system security and mail is sent to the proper authorities, as defined at configure time or in the sudoers file. The default authority to be notified of unsuccessful sudo attempts is root. Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v flags; this allows users to determine for themselves whether or not they are allowed to use sudo.

 

sudo can log both successful and unsuccessful attempts (as well as errors) to syslog, a unique log file, or both. By default sudo will log to syslog but this can be changed at configure time or in the sudoers file.

 

 

(4) sudo OPTIONS

 

-V 옵션

The -V (version) option causes sudo to print the version number and exit. If the invoking user is already root, the -V option will print out a list of the defaults sudo was compiled with as well as the machine's local network addresses.

 

-l 옵션

The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.

 

-L 옵션

The -L (list defaults) option will list out the parameters that may be set in a Defaults line along with a short description for each. This option is useful in conjunction with grep.

 

-h 옵션

The -h (help) option causes sudo to print a usage message and exit.

 

-v 옵션

If given the -v (validate) option, sudo will update the user's timestamp, prompting for the user's password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.

 

-k 옵션

The -k (kill) option to sudo invalidates the user's timestamp by setting the time on it to the epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.

 

-K 옵션

The -K (sure kill) option to sudo removes the user's timestamp entirely. Likewise, this option does not require a password.

 

-b 옵션

The -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process.

 

-p 옵션

The -p (prompt) option allows you to override the default password prompt and use a custom one. The following percent ('%') escapes are supported:

 

%u is expanded to the invoking user's login name;

 

%U is expanded to the login name of the user the command will be run as (which defaults to root);

 

%h is expanded to the local hostname without the domain name;

 

%H is expanded to the local hostname including the domain name (only if the machine's hostname is fully qualified or the "fqdn" sudoers option is set);

 

%% (two consecutive % characters) are collapsed into a single % character.

 

-c 옵션

The -c (class) option causes sudo to run the specified command with resources limited by the specified login class. The class argument can be either a class name as defined in /etc/login.conf, or a single '-' character. Specifying a class of - indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the class argument specifies an existing user class, the command must be run as root, or the sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes where sudo has been configured with the --with-logincap option.

 

-a 옵션

The -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" entry in /etc/login.conf. This option is only available on systems that support BSD authentication where sudo has been configured with the --with-bsdauth option.

 

-u 옵션

The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.

 

-s 옵션

The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the file passwd.

 

-H 옵션

The -H (HOME) option sets the HOME environment variable to the home directory of the target user (root by default) as specified in passwd. By default, sudo does not modify HOME.

 

-P 옵션

The -P (preserve group vector) option causes sudo to preserve the user's group vector unaltered. By default, sudo will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user.

 

-r 옵션

The -r (role) option causes the new (SELinux) security context to have the role specified by ROLE.

 

-t 옵션

The -t (type) option causes the new (SELinux) security context to have the have the type (domain) specified by TYPE. If no type is specified, the default type is derived from the specified role.

 

-S 옵션

The -S (stdin) option causes sudo to read the password from standard input instead of the terminal device.

 

-- 옵션

The -- flag indicates that sudo should stop processing command line arguments. It is most useful in conjunction with the -s flag.

 

 

(5) sudo CMD Examples

 

$ sudo -u comphope ls /home/comphope/hope

List the contents of the /home/comphope/hope directory as the comphope user.

 

$ sudo -v

Extend/reset sudo's automatic authentication timeout, allowing you to continue issuing sudo commands without entering a password.

 

$ sudo -k

"Kill" sudo authentication for the current user. The next sudo command will require a password.

 

 

(6) 참고

 

http://www.computerhope.com/unix/sudo.htm

 

 

 

 

 

 

2. /etc/sudoers file

 

(1) /etc/sudoers 파일에 대해서

 

NAME

sudoers - default sudo security policy module

 

DESCRIPTION

The sudoers policy module determines a user's sudo privileges. It is the default

sudo policy plugin. The policy is driven by the /etc/sudoers file or, optionally

in LDAP. The policy format is described in detail in the "SUDOERS FILE FORMAT"

section. For information on storing sudoers policy information in LDAP, please

see sudoers.ldap(5).

 

SUDOERS FILE FORMAT

The sudoers file is composed of two types of entries: aliases (basically

variables) and user specifications (which specify who may run what).

 

When multiple entries match for a user, they are applied in order. Where there

are multiple matches, the last match is used (which is not necessarily the most

specific match).

 

The sudoers grammar will be described below in Extended Backus-Naur Form (EBNF).

Don't despair if you don't know what EBNF is; it is fairly simple, and the

definitions below are annotated.

 

Quick guide to EBNF

EBNF is a concise and exact way of describing the grammar of a language. Each

EBNF definition is made up of production rules. E.g.,

 

symbol ::= definition | alternate1 | alternate2 ...

 

Each production rule references others and thus makes up a grammar for the

language. EBNF also contains the following operators, which many readers will

recognize from regular expressions. Do not, however, confuse them with

"wildcard" characters, which have different meanings.

 

? Means that the preceding symbol (or group of symbols) is optional. That is,

it may appear once or not at all.

 

* Means that the preceding symbol (or group of symbols) may appear zero or more

times.

 

+ Means that the preceding symbol (or group of symbols) may appear one or more

times.

 

Parentheses may be used to group symbols together. For clarity, we will use

single quotes ('') to designate what is a verbatim character string (as opposed

to a symbol name).

 

Aliases

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and

Cmnd_Alias.

 

Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |

'Runas_Alias' Runas_Alias (':' Runas_Alias)* |

'Host_Alias' Host_Alias (':' Host_Alias)* |

'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*

 

User_Alias ::= NAME '=' User_List

 

Runas_Alias ::= NAME '=' Runas_List

 

Host_Alias ::= NAME '=' Host_List

 

Cmnd_Alias ::= NAME '=' Cmnd_List

 

NAME ::= [A-Z]([A-Z][0-9]_)*

 

Each alias definition is of the form

 

Alias_Type NAME = item1, item2, ...

 

dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm

 

The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only as

operator. E.g.,

 

$ sudo -u operator /bin/ls

 

It is also possible to override a Runas_Spec later on in an entry. If we modify

the entry like so:

 

dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm

 

Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill and

/usr/bin/lprm as root.

 

We can extend this to allow dgb to run /bin/ls with either the user or group set

to operator:

 

dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \

/usr/bin/lprm

 

 

ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

 

ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

 

aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

 

 

/etc/sudoers example file

 

# Run X applications through sudo; HOME is used to find the

# .Xauthority file. Note that other programs use HOME to find

# configuration files and this may lead to privilege escalation!

Defaults env_keep += "DISPLAY HOME"

 

# User alias specification

User_Alias FULLTIMERS = millert, mikef, dowdy

User_Alias PARTTIMERS = bostley, jwfox, crawl

User_Alias WEBMASTERS = will, wendy, wim

 

# Runas alias specification

Runas_Alias OP = root, operator

Runas_Alias DB = oracle, sybase

Runas_Alias ADMINGRP = adm, oper

 

# Host alias specification

Host_Alias SPARC = bigtime, eclipse, moet, anchor :\

SGI = grolsch, dandelion, black :\

ALPHA = widget, thalamus, foobar :\

HPPA = boa, nag, python

Host_Alias CUNETS = 128.138.0.0/255.255.0.0

Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

Host_Alias SERVERS = master, mail, www, ns

Host_Alias CDROM = orion, perseus, hercules

 

# Cmnd alias specification

Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\

/usr/sbin/restore, /usr/sbin/rrestore

Cmnd_Alias KILL = /usr/bin/kill

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown

Cmnd_Alias HALT = /usr/sbin/halt

Cmnd_Alias REBOOT = /usr/sbin/reboot

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \

/usr/local/bin/tcsh, /usr/bin/rsh, \

/usr/local/bin/zsh

Cmnd_Alias SU = /usr/bin/su

Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

 

sfecification

 

The User specification is the part that actually determines who may run what.

 

root ALL = (ALL) ALL

%wheel ALL = (ALL) ALL

 

We let root and any user in group wheel run any command on any host as any user.

 

FULLTIMERS ALL = NOPASSWD: ALL

 

Full time sysadmins (millert, mikef, and dowdy) may run any command on any host

without authenticating themselves.

 

PARTTIMERS ALL = ALL

 

Part time sysadmins (bostley, jwfox, and crawl) may run any command on any host

but they must authenticate themselves first (since the entry lacks the NOPASSWD

tag).

 

jack CSNETS = ALL

 

The user jack may run any command on the machines in the CSNETS alias (the

networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks,

only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a

class C network. For the other networks in CSNETS, the local machine's netmask

will be used during matching.

 

lisa CUNETS = ALL

 

The user lisa may run any command on any host in the CUNETS alias (the class B

network 128.138.0.0).

 

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\

sudoedit /etc/printcap, /usr/oper/bin/

 

The operator user may run commands limited to simple maintenance. Here, those

are commands related to backups, killing processes, the printing system, shutting

down the system, and any commands in the directory /usr/oper/bin/.

 

joe ALL = /usr/bin/su operator

 

The user joe may only su(1) to operator.

 

pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

 

%opers ALL = (: ADMINGRP) /usr/sbin/

 

Users in the opers group may run commands in /usr/sbin/ as themselves with any

group in the ADMINGRP Runas_Alias (the adm and oper groups).

 

The user pete is allowed to change anyone's password except for root on the HPPA

machines. Note that this assumes passwd(1) does not take multiple user names on

the command line.

 

bob SPARC = (OP) ALL : SGI = (OP) ALL

 

The user bob may run anything on the SPARC and SGI machines as any user listed in

the OP Runas_Alias (root and operator).

 

jim +biglab = ALL

 

The user jim may run any command on machines in the biglab netgroup. sudo knows

that "biglab" is a netgroup due to the '+' prefix.

 

+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

 

Users in the secretaries netgroup need to help manage the printers as well as add

and remove users, so they are allowed to run those commands on all machines.

 

fred ALL = (DB) NOPASSWD: ALL

 

The user fred can run commands as any user in the DB Runas_Alias (oracle or

sybase) without giving a password.

 

john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

 

On the ALPHA machines, user john may su to anyone except root but he is not

allowed to specify any options to the su(1) command.

 

jen ALL, !SERVERS = ALL

 

The user jen may run any command on any machine except for those in the SERVERS

Host_Alias (master, mail, www and ns).

 

jill SERVERS = /usr/bin/, !SU, !SHELLS

 

For any machine in the SERVERS Host_Alias, jill may run any commands in the

directory /usr/bin/ except for those commands belonging to the SU and SHELLS

Cmnd_Aliases.

 

steve CSNETS = (operator) /usr/local/op_commands/

 

The user steve may run any command in the directory /usr/local/op_commands/ but

only as user operator.

 

matt valkyrie = KILL

 

On his personal workstation, valkyrie, matt needs to be able to kill hung

processes.

 

WEBMASTERS www = (www) ALL, (root) /usr/bin/su www

 

On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and wim),

may run any command as user www (which owns the web pages) or simply su(1) to

www.

 

ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\

/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

 

Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias

(orion, perseus, hercules) without entering a password. This is a bit tedious

for users to type, so it is a prime candidate for encapsulating in a shell

script.

 

 

 

(2) Linux Distribution : /etc/sudoers file example

 

(KaliLinux 1.1.0) /etc/sudoers file example

# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset 기본 환경 변수 구성을 reset 한다. Defaults mail_badpass 만약 암호를 정상적으로 입력하지 않으면 사용자에게 메일로 전송한다. Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" sudo 명령어를 통해 실행할 모든 명령어의 PATH 변수를 지정한다.   # Host alias specification   # User alias specification   # Cmnd alias specification   # User privilege specification root ALL=(ALL:ALL) ALL root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다. # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL sudo 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다. # See sudoers(5) for more information on "#include" directives:   #includedir /etc/sudoers.d

 

 

(centos 5.9) /etc/sudoers file example

## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command.   ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 호스트 엘리어스 선언 부분   ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem 사용자 엘리어스 선언 부분   ## Command Aliases ## These are groups of related commands...   ## Networking #Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 명령어 엘리어스 선언 부분   ## Installation and management of software #Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 명령어 엘리어스 선언 부분   ## Services #Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 명령어 엘리어스 선언 부분   ## Updating the locate database #Cmnd_Alias LOCATE = /usr/bin/updatedb 명령어 엘리어스 선언 부분   ## Storage #Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 명령어 엘리어스 선언 부분   ## Delegating permissions #Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 명령어 엘리어스 선언 부분   ## Processes #Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 명령어 엘리어스 선언 부분   ## Drivers #Cmnd_Alias DRIVERS = /sbin/modprobe 명령어 엘리어스 선언 부분   # Defaults specification   # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty sudo 명령어를 수행할때 반드시 tty 사용하도록 설정한다. (X) # ssh 172.16.9.252 sudo CMD (0) # ssh -t 172.16.9.252 sudo CMD # # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw 기본적으로 password 입력이 보이지 않도록 설정 Defaults env_reset 기본 환경 변수 구성을 reset 한다. Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" 기존 사용자의 환경 변수를 불러와서 sudo 명령어로 새로운 명령어를 실행할때 새로 정의해서 사용하지 않고 그냥 사용한다.   ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.   ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS   ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL wheel 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.   ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL wheel 그룹에 속한 사용자는 sudo 명령어 사용할때 암호를 물어보지 않는다.   ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom users 그룹에 속한 사용자는 "# mount /mnt/cdrom" 명령어를 수행할 수 있도록 설정한다.   ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now users 그룹에 속한 사용자는 "shutdown -h now" 명령어를 수행할 수 있도록 설정한다.

 

 

(CentOS 6.5) /etc/sudoers file example

## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command.   ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 호스트 엘리어스 선언   ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem 사용자 엘리어스 선언   ## Command Aliases ## These are groups of related commands... 명령어 엘리어스 선언   ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 명령어 엘리어스 선언   ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 명령어 엘리어스 선언   ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 명령어 엘리어스 선언   ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb 명령어 엘리어스 선언   ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 명령어 엘리어스 선언   ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 명령어 엘리어스 선언   ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 명령어 엘리어스 선언   ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe 명령어 엘리어스 선언   # Defaults specification   # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty sudo 명령어를 수행할때 반드시 tty 사용하도록 설정한다. (X) # ssh 172.16.9.252 sudo CMD (0) # ssh -t 172.16.9.252 sudo CMD # # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw 기본적으로 password 입력이 보이지 않도록 설정   # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home HOME 변수 설정   Defaults env_reset 기본 환경 변수 구성을 reset 한다. Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 기존 사용자의 환경 변수를 불러와서 sudo 명령어로 새로운 명령어를 실행할때 새로 정의해서 사용하지 않고 그냥 사용한다.   # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME"   Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin sudo 명령어를 통해 실행할 모든 명령어의 PATH 변수를 지정한다.   ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.   ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS   ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL wheel 그룹에 속한 사용자는 sudo 명령어를 사용하여 시스템의 모든 명령어 수행이 가능하다.   ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL wheel 그룹에 속한 사용자는 암호입력 없이 모든 명령어 수행이 가능하다.   ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom users 그룹에 속한 사용자는 "# mount /mnt/cdrom" 명령어 수행이 가능하다.   ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now users 그룹에 속한 사용자는 localhost에 대해서 "# shutdown -h now" 수행이 가능하다.   ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d

 

 

(Ubuntu 8.04) /etc/sudoers file example

# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. #   Defaults env_reset 기본 환경 변수 구성을 reset 한다.   # Uncomment to allow members of group sudo to not need a password # %sudo ALL=NOPASSWD: ALL sudo 그룹에 속한 사용자는 시스템의 모든 명령어를 password 입력없이 수행이 가능하다.   # Host alias specification   # User alias specification   # Cmnd alias specification   # User privilege specification root ALL=(ALL) ALL root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.   # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL admin 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

 

 

3. sudo 실습

 

(주의) 실습시 주의 사항

실습은 CentOS 5.9 버전에서 실행하였다. 버전에 따라 /etc/sudoers 파일이 틀리므로 자신의 버전에 맞는 설정을 반드시 확인하여야 한다.

리눅스 배포판에 따라 /etc/sudoers 파일의 기본설정이 틀리므로 자신의 배포판 버전에 맞는 설정을 반드시 확인하여야 한다.

 

 

■ 사용시스템

- CentOS 5.9

 

 

[실습1]

실습 목표: 관리자(EX: root)와 동일한 레벨의 사용자를 생성한다.

 

(선수작업)

user01 ~ user03 사용자가 존재하여야 한다.

다음과 같은 명령어 형식을 사용하여 추가한다.

# useradd user01

# echo user01 | passwd --stdin user01

 

① /etc/sudoers 파일 편집

# visudo (# vi /etc/sudoers -> :wq!)

..... (중략) .... ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL   ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom   ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now   # # (1) Sfecific configuration # user01 ALL=(ALL) ALL

-> /etc/sudoers 파일의 하단 부분에 위와 같은 내용을 추가한다.

 

② user01 사용자로 로그인하여 테스트

# ssh user01@localhost

user01 사용자로 로그인

 

$ sudo /sbin/shutdown +3 -h

[sudo] password for user01: (user01)   Broadcast message from root (pts/3) (Mon Sep 21 15:41:07 2015):   The system is going DOWN for system halt in 3 minutes!   Broadcast message from root (pts/3) (Mon Sep 21 15:41:07 2015):   The system is going DOWN for system halt in 3 minutes! <CTRL + C> Shutdown cancelled.

-> 관리자가 수행할 수 있는 shutdown 명령어를 수행할 수 있는것으로 판단된다.

-> 실습에서는 실제 재부팅을 하지 않고 <CTRL + C> 수행한다.

 

$ exit

#

 

 

 

 

 

 

 

[실습2]

실습 목표: user01 사용자가 sudo 명령어 수행시 암호 입력없이 시스템 명령어를 수행할 수 있도록 변경한다.

 

① /etc/sudoers 파일 편집

# visudo (# vi /etc/sudoers -> :wq!)

..... (중략) ..... # # (1) Sfecific configuration # [수정전] user01 ALL=(ALL) ALL [수정후] user01 ALL=(ALL) NOPASSWD:ALL

-> 기존의 라인에 NOPASSWD 부분을 삽입한다.

 

② user01 사용자로 로그인하여 테스트

# ssh user01@localhost

user01 사용자로 로그인

 

$ sudo /sbin/shutdown +3 -h

Broadcast message from root (pts/3) (Mon Sep 21 15:49:56 2015):   The system is going DOWN for system halt in 3 minutes!   Broadcast message from root (pts/3) (Mon Sep 21 15:49:56 2015):   The system is going DOWN for system halt in 3 minutes! <CTRL + C> Shutdown cancelled.

-> 암호 입력하는 화면이 나오지 않는다.

$ exit

#

 

 

[실습3]

 

실습 목표: 사용자가 접근 할 수 없는 파일(EX: /etc/shadow)을 접근 할 수 있는 사용자 설정을 한다.$ cat /etc/shadowcat: /etc/shadow: Permission denied

 

① /etc/sudoers 파일 편집

# visudo

..... (중략) ..... # # (1) Sfecific configuration # user01 ALL=(ALL) NOPASSWD:ALL user02 ALL=/bin/cat /etc/shadow, /bin/cat /home/user01/.bash_history

-> /etc/sudoers 파일의 하단 부분에 위와 같은 내용을 추가한다.

 

② user02 사용자로 로그인하여 테스트

$ ssh user02@localhost

user02 사용자로 로그인

 

$ cat /etc/shadow

cat: /etc/shadow: Permission denied

 

$ cat /home/user01/.bash_history

cat: /home/user01/.bash_history: Permission denied

 

$ sudo cat /etc/shadow

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:   #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.   [sudo] password for user02: (user02) root:$1$gRjk/iMP$rRLfVhiUKZLNkY/VjPLcg/:16799:0:99999:7::: bin:*:16678:0:99999:7::: daemon:*:16678:0:99999:7::: adm:*:16678:0:99999:7::: lp:*:16678:0:99999:7::: sync:*:16678:0:99999:7::: shutdown:*:16678:0:99999:7::: ..... (중략) .....

-> 정상적으로 잘 수행되는것으로 판단이 된다.

 

$ sudo cat /home/user01/.bash_history

..... (중략) ..... sudo /sbin/shutdown +3 -h #1442818248 exit #1442818431 cat /proc/sys/net/ipv4/ip_forward #1442818438 exit

-> 정상적으로 잘 수행되는것으로 판단이 된다.

 

$ exit

#

 

 

 

 

 

[실습4]

 

실습 목표: 스크립트(EX: /etc/init.d/sshd)를 가지고 작업할수 있도록 설정한다.

 

① /etc/sudoers 파일 편집

# visudo

..... (중략) ..... # # (1) Sfecific configuration # user01 ALL=(ALL) NOPASSWD:ALL user02 ALL=/bin/cat /etc/shadow, /bin/cat /home/user01/.bash_history user03 ALL=/etc/init.d/sshd

 

② user03 사용자로 로그인하여 테스트

# telnet localhost

user03 사용자로 로그인

 

$ /etc/init.d/sshd restart

rm: cannot remove `/var/run/sshd.pid': Permission denied [FAILED]   cp: cannot remove `/var/empty/sshd/etc/localtime': Permission denied Starting sshd: /etc/ssh/sshd_config: Permission denied [FAILED]

 

$ sudo /etc/init.d/sshd restart

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:   #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.   [sudo] password for user03: (user03) Stopping sshd: [ OK ] Starting sshd: [ OK ]

 

$ exit

#