Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Hands-on lab for assigning limited sudo privileges

In this lab, you'll create some users and assign them different levels of privileges. To simplify things, we'll use the CentOS virtual machine.

  1. Log in to either the CentOS 7 virtual machine or the CentOS 8 virtual machine and create user accounts for Lionel, Katelyn, and Maggie:
 sudo useradd lionel
sudo useradd katelyn
sudo useradd maggie
sudo passwd lionel
sudo passwd katelyn
sudo passwd maggie
  1. Open visudo:
sudo visudo

Find the STORAGE command alias and remove the comment symbol from in front of it.

  1. Add the following lines to the end of the file, using tabs to separate the columns:
lionel ALL=(ALL) ALL
katelyn ALL=(ALL) /usr/bin/systemctl status sshd
maggie ALL=(ALL) STORAGE

Save the file and exit visudo.

  1. To save time, we'll use su to log in to the different user accounts. That way, you won't need to log out of your own account to perform these steps. First, log in to Lionel's account and verify that he has full sudo privileges by running several root-level commands:
 su - lionel
sudo su -
exit
sudo systemctl status sshd
sudo fdisk -l
exit
  1. This time, log in as Katelyn and try to run some root-level commands. Don't be too disappointed if they don't all work, though:
 su - katelyn
sudo su -
sudo systemctl status sshd
sudo systemctl restart sshd
sudo fdisk -l
exit
  1. Finally, log in as Maggie, and run the same set of commands that you ran for Katelyn.
  2. Keep in mind that, although we only had three individual users for this lab, you could just as easily have handled more users by setting them up in user aliases or Linux groups.
Since sudo is such a great security tool, you would think that everyone would use it, right? Sadly, that's not the case. Pretty much any time you look at either a Linux tutorial website or a Linux tutorial YouTube channel, you'll see the person who's doing the demo logged in at the root user command prompt. In some cases, I've seen the person remotely logged in as the root user on a cloud-based virtual machine. Now, if logging in as the root user is already a bad idea, then logging in across the internet as the root user is an even worse idea. In any case, seeing everybody do these tutorial demos from the root user's shell drives me absolutely crazy.

Having said all this, there are some things that don't work with sudo. Bash shell internal commands such as cd don't work with it, and using echo to inject kernel values into the /proc filesystem also doesn't work with it. For tasks such as these, a person would have to go to the root command prompt. Still, though, make sure that only users who absolutely have to use the root user command prompt have access to it.