How To Install and Configure SUDO on RHEL 7

How To Install and Configure SUDO on RHEL 7

• 1.
  How To Installand Configure SUDO on RHEL 7 i | P a g e Table of Contents Overview.......................................................................................................................................................1 Applies To......................................................................................................................................................1 Pre-Requisites ...............................................................................................................................................1 Install Package...............................................................................................................................................1 Verify Package Installation........................................................................................................................1 Locate Binary.............................................................................................................................................2 Configure SUDO ............................................................................................................................................2 visudo editor.............................................................................................................................................2 Sudoers File – Default Permissions...............................................................................................................2 Listing Commands.....................................................................................................................................3 List Allowed Commands – Current User ...............................................................................................3 List Allowed Commands – Other User ..................................................................................................3 Cached Credentials ...................................................................................................................................3 Revalidate Cached Credentials .............................................................................................................4 Invalidate Cached Credentials...............................................................................................................4 Customize User’s Timeouts...................................................................................................................4 Define Command Execution Privileges.........................................................................................................5 Define Commands – With Password.........................................................................................................5 Run Commands – Without Password .......................................................................................................6 Run Commands – Deny Specific Command Execution .............................................................................6 SUDO – Default Settings ...........................................................................................................................7 Configure – Session Time Out.......................................................................................................................7 System wise Attribute Configuration........................................................................................................7 User wise Attribute Configuration............................................................................................................8
• 2.
  How To Installand Configure SUDO on RHEL 7 1 | P a g e Overview The purpose of this document is guide you in the configuration of SUDO (Super User Doers), wherein normal user is elevated to run the elevated commands on the system. Applies To Tested on RHEL 7, CentOS 7. Pre-Requisites  sudo package is installed Install Package SUDO package is installed by default in when you install operating system, in order to install the package manually, if the package is not installed run the command; yum install -y sudo Verify Package Installation After installation, to verify the sudo package is installed, run the command; yum list installed | grep ^sudo or rpm -qa | grep ^sudo
• 3.
  How To Installand Configure SUDO on RHEL 7 2 | P a g e Locate Binary Next to get the binary information for sudo exeutable, run the command; whereis sudo Configure SUDO In order to configure sudo, sudoers configuration file “/etc/sudoers” has to be modified. visudo editor Any standard editors i.e., vi, vim or nano. Though there are few advantages of configuring sudo with “visudo” editor that are listed below:  visudo will lock the sudoers file if a user is accessing it  If the user is already accessing it, user would notified user stating, “/etc/sudoers busy, try again later”  It also checks for syntax errors upon file exit Sudoers File – Default Permissions The owner and group for the sudoers file must both be 0. The file permissions must be set to 0440. This permission is set by default. If you had changed the permission(s) ownership and accidentally, it needs to be rolled back, else sudo will fail. chown -c root:root /etc/sudoers
• 4.
  How To Installand Configure SUDO on RHEL 7 3 | P a g e chmod -c 0440 /etc/sudoers Listing Commands Commands that can be executed for user and logged in user can be listed. It also lists the other configuration parameters configured for the user, such as timeout, command restrictions, etc. List Allowed Commands – Current User sudo -l List Allowed Commands – Other User sudo -lU mvcp01 Cached Credentials Upon successful sudo login by the user the credentials are cached for a default time period of 5 minutes and the user can work without a password before the expiry period that is set by the attribute “timestamp_timeout”.
• 5.
  How To Installand Configure SUDO on RHEL 7 4 | P a g e This can also be configured to 0 minutes or more than default timeout period of 5 minutes, 0 means the password is not cached and always user will be prompted for password. If the attribute is set less than 0, then users sudo timeout period is set as “never expire”. timestamp_timeout=2 Similarly, you can invalidate or revalidate cached credentials. Revalidate Cached Credentials After successful user’s sudo login, password is stored in cache for 5 minutes (default password lapse period). To extend the password lapse period run the command. If sudo revalidation is done, it will extend the lapse period additional 5 minutes. sudo -v Invalidate Cached Credentials Clear the cached password and ask for password entry for sudo authentication, run the command; Typically, It’s run if the user password has changed and timeout period is not yet expired. sudo -k Customize User’s Timeouts If you would like to customize sudo timestamp_timeout for a specific user, it can be configured by customizing the “timestamp_timeout” attribute with the user prefix and the timeout period, shown as below. This change can be done in either “/etc/sudoers” or “/etc/sudoers.d/ Defaults: sys.admin timestamp_timeout=30 sudo -lU sys.admin
• 6.
  How To Installand Configure SUDO on RHEL 7 5 | P a g e Define Command Execution Privileges SUDO can be configured with or without password authentication for users or specific commands that user intends to execute. The user also can be denied command execution for specific command. The below table will give insight into command execution privileges defined for a user. Example: root ALL=(ALL) ALL Definition Purpose sys.admin ALL=(ALL:ALL) ALL This definition applies to user root sys.admin ALL=(ALL:ALL) ALL This rule applies to all user sys.admin logged in from all hosts sys.admin ALL=(ALL:ALL) ALL User sys.admin can run commands as all users sys.admin ALL=(ALL:ALL) ALL User sys.admin can run commands as all groups sys.admin ALL=(ALL:ALL) ALL These rules apply to all commands Define Commands – With Password Few commands that are defined for the user to run can be allowed to run only after keying the valid password by the user, as shown below; User sys.operator can execute the commands “shutdown” and “updatedb” after successful authentication. sys.operator ALL=(ALL) PASSWD: /sbin/shutdown, /usr/bin/updatedb
• 7.
  How To Installand Configure SUDO on RHEL 7 6 | P a g e Run Commands – Without Password Execute command(s) without prompting for sudo password, configure the user as below; User sys.admin can execute the commands “shutdown” and “updated” without password. Password-less command execution. mvcp001 ALL=(ALL) NOPASSWD: ALL sys.admin ALL=(ALL) NOPASSWD: /sbin/shutdown, /usr/sbin/updatedb Run Commands – Deny Specific Command Execution If you want to deny a specific user to deny execution of a command prefix it with “!” as shown below; The user can run all other commands expect the command “/usr/bin/passwd” mvcp002 ALL=(root) ALL, !/usr/bin/passwd
• 8.
  How To Installand Configure SUDO on RHEL 7 7 | P a g e SUDO – Default Settings To list the current default settings run the command; cat /etc/sudoers | grep ^Defaults Configure – Session Time Out The purpose of this attribute is to set timeout period for the user to enter password for the elevated commands executed each time. Default timeout is 5 minutes, once the user enters the password, the user’s password is remembered for 5 minutes and used need to reenter the password again. System wise Attribute Configuration To implement system configuration, after “Defaults” attribute, modify the changes that are required. Defaults timestamp_timeout=5 #Applies To System wide
• 9.
  How To Installand Configure SUDO on RHEL 7 8 | P a g e User wise Attribute Configuration To implement user configuration, after “Defaults” attribute, include username also and modify the changes that are required. This will override the system wide attribute setting. Defaults:mvcp002 timestamp_timeout=0 # Applies to specific user only