LPI Linux Certification in a Nutshell (65 page)
Read LPI Linux Certification in a Nutshell Online
Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger
Tags: #Reference:Computers
sudo
sudo[OPTION]... [-a auth_type] [-c class] [-p prompt] [-u username]
sudo
(
s
ubstitute
u
ser
do
) allows a permitted user to execute a
command as the superuser or another user, as specified in the
/etc/sudoers
file.
- -b
Run the given command in the background.
- -u
USERNAME Attempt to run the command as user
USERNAMEinstead of root.
The
sudo
command lives somewhere between
SUID and
su
.
sudo
is used
when you want to give certain users (or groups of users) access to
run certain commands with elevated privileges (usually as
root
).
Sudo
is extremely
useful for a number of reasons:
You don’t have to hand out the root password to people
just so they can run a few
commands
.It logs every command (completed and attempted).
In the
/etc/sudoers
file, you can limit its use by user account, by group, by
machine, or by pathname.The design of
/etc/sudoers
is such that you can
replicate it across multiple systems without modification of the
file.
The
/etc/sudoers
configuration file is a standard text file (like most other Linux
configuration files), but the syntax for the rules that define the
behavior of
sudo
is formatted in Extended
Backus-Naur Form (EBNF), which is a way to describe the grammar of a
language. This is relatively unique to the Linux configuration file
world, so your
/etc/sudoers
file will look quite a bit different than other configuration files
you are used to. Because of the security implications of
sudo
, and the somewhat challenging format of
the file itself, it is recommended that the command
visudo
be used to edit
/etc/sudoers
instead of editing the file
directly.
visudo
will not only make a backup
copy of the
/etc/sudoers
file
for editing (replacing the previous version of
/etc/sudoers
when the backup
copy is saved), but it also does syntax checking of the format of
the file, warning you if the syntax is incorrect. If you prefer an
editor other than
vi
, just make sure your
$EDITOR
environment variable contains the path
to your preferred editor, and
visudo
will
invoke that editor instead of
vi
.
On the Exam
The configuration options available in
/etc/sudoers
can be very complicated.
You will not be required to answer questions about every possible
option on the LPI exams. You should know what
sudo
is for and some example command-line
usage, and have a general idea of what the
/etc/sudoers
file should look
like.
A simple
/etc/sudoers
file:
# Format is:
# user MACHINE=COMMANDS
#
# The COMMANDS section may have other options added to it.
#
Defaults requiretty,passwd_timeout=10
# Allows members of the users group to mount and unmount the cdrom as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
# Allow the user adam to run the dumpe2fs command on any locally attached
# disk using scsi emulation (/dev/sd*) on the computer 'fileserv',
# don't prompt for a password
adam fileserv=NOPASSWD: /sbin/dumpe2fs /dev/sd*
The
NOPASSWD
option will allow the user
adam
to run the
dumpe2fs
command without being prompted for a password. Normally,
sudo
will prompt a user for his password (not
the root password! If the user knew the root password, he wouldn’t
need
sudo
, would he?). Once the user’s password
is given correctly,
sudo
will cache the
password and not ask again for a default of five minutes
(configurable in the
/etc/sudoers
file). Setting the
NOPASSWD
option allows the
sudo
command to be called from
cron
and other noninteractive, scripted
situations.
The detailed logging that
sudo
offers by
default is another reason why it is so popular. It is a common
scenario to have multiple people acting as system administrators in
a corporate environment. If all of these people log in as
root
to perform maintenance, there is no way to
tell exactly which user was logged in as
root
and ran what command at a certain time.
sudo
handles this for you. It is good practice to use
sudo
to run superuser commands when you are in
a shared administrator environment.
A sample log line from
sudo
:
Dec 4 15:07:20 fileserv sudo: adam : TTY=pts/0 ; PWD=/sbin ; USER=root ; \
COMMAND=/sbin/dumpe2fs /dev/sda3
By default,
sudo
uses the
syslog
service to log all events. Depending
upon your
syslog
configuration, these events
will probably be logged to either
/var/log/messages
or
/var/log/secure
.
sudo
will also log instances when a user
attempts to run a command and is denied, shown next.
Sudo denying access to user
joe
, who
tried to run
sudo /bin/ls /tmp
:
Dec 4 15:27:29 fileserv sudo: joe : user NOT in sudoers ; TTY=pts/0 ; \
PWD=/home/joe ; USER=root ; COMMAND=/bin/ls /tmp
Other important things to remember about
sudo
:
Be sure you are giving the exact path to applications in
the
/etc/sudoers
file. The
visudo
command will give you an error if
you try to use relative path names.Be aware of commands that spawn subshells! This is the
same issue that was discussed earlier with regards to SUID
programs and subshells. A subshell (or child process) will
always inherit the security context of the parent process. So if
you have a line in
/etc/sudoers
that looks like
this:adam ALL=NOPASSWD: /bin/vi
then the user “adam” will be able to run
/bin/vi
as root. By typing!bashin a
vi
session,
adam will have an interactive shell as root. If you are in a
situation where you need to let non-root users edit protected
files, use the command
sudoedit
(an alias
to “
sudo –e
”). This tells
sudo
that a file needs to be edited. The
sudo
command will make a temporary copy of
the file and open an editor in the security context of the user
(not root). Once the temporary file is saved,
sudo
will copy the temporarily file over
the original file. This bypasses the root subshell
dilemma.The file
/etc/sudoers
can be a little daunting at first, but remember it was designed
to allow you to have one copy of
/etc/sudoers
work across multiple
servers. If this is not your situation, you can follow the
simple examples above to create and maintain an
/etc/sudoers
file that is a little
easier to read.
usermod
chage[OPTIONS] [USERNAME]
usermod
is used to maintain the
settings for accounts in
/etc/passwd
and
/etc/group
(and, by extension,
/etc/shadow
and
/etc/gshadow
).
- -c
COMMENT Set or change the value of the Comment field (field
5).- -d
HOMEDIRECTORY Set or change the value of the user’s home directory
(field 6).- -g
GROUPID Set the primary GID (group ID) of the user.
- -G
comma-delimited
GROUPID(S) Set the supplementary group ID(s) for a user.
- -l
USERNAME Change the username to
USERNAME.- -s
SHELL Change the user’s shell to
SHELL.
chage
chage[OPTIONS] [USERNAME]
chage
(change aging) is used to
maintain the password aging limits on a user account.
- -d
LASTDAY Set the number of days (since January 1, 1970) when the
password was last changed.- -E
EXPIREDATE Set a user account to expire on a certain date.
- -I
INACTIVEDAYS How many days of inactivity after a password has expired
must pass before the account is locked.- -l
Show password aging information for an account. A
nonprivileged user can run this to view his password aging
status.- -m
MINDAYS Set the minimum number of days between password
changes.- -M
MAXDAYS Set the maximum number of days a password is
valid.- -W
WARNDAYS The number of days before the password expiration that
the system will start warning the user.
View the password aging information for the
root
user:
#chage -l rootLast password change : Jan 08, 2010
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Force a user to change his password on the next login:
#chage -d 0 adamh#chage -l adamhLast password change : password must be changed
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Now when the user
adamh
next logs in, he
will see:
login as:adamhadamh@server's password:You are required to change your password immediately (root enforced)
Last login: Fri Jan 8 14:50:42 2010 from 10.0.0.112
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user adamh.
Changing password for adamh.
(current) UNIX password:New UNIX password:Retype new UNIX password:
On the Exam
The
chage
command can be a little
confusing. Take the time to learn its different options and
practice configuring different password aging settings on a test
Linux system. It is likely that you will encounter questions about
the syntax of the
chage
command on the LPI
exams.
ulimit
ulimit[OPTIONS] limit
Provides control over the resources available to the
shell and to processes started by it, on systems that allow such
control.
- -a
Report all current limits.
- -u
NUMBER The maximum number of processes available to a single
user.- -x
NUMBER The maximum number of file locks.
- -v
NUMBER The maximum amount of memory available to the shell, in
kilobytes.- -H
Indicates that a hard limit is being specified.
- -S
Indicates that a soft limit is being specified.
View the current limits for a user:
$ulimit -acore file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Limits are defined on Linux as being either
hard
or
soft
limits. A hard limit is set by the
superuser for a user or group of users and cannot be
exceeded. A soft limit is also set by the superuser, but it may be
temporarily overridden by a user if the need arises (by the user
calling the
ulimit
command). For example, a
user may have a soft limit of 100 on the maximum number of open
files, with a hard limit of 1,000. If the user is running a
short-term process that needs to open 200 files, they can
temporarily increase her limit in order for that program to run.
That increase lasts only for the life of the user’s shell. Hard and
soft limits are set up by the superuser for all users in the file
/etc/security/limits.conf
.
The file
limits.conf
takes four values,
space- or Tab-delimited, on each line:
Table 22-3
describes the options for entries in
limits.conf
.
Table 22-3. Options in /etc/security/limits.conf
Field name | Possible values |
|---|---|
Domain |
|
Type |
|
Item |
|
Value | Integer |
Here are some example lines from a
limits.conf
file:
# user adamh cannot create a file larger than 200 MB
adamh hard fsize 204800
# user adamh cannot create a file larger than 100 MB
# unless he increases his own ulimit value
adamh soft fsize 102400
# don't create core files for any user unless they
# change this ulimit value for themselves
* soft core 0
# limit all users in the group 'students' to no more
# than 20 processes running at once
@student hard nproc 20
# limit all users in the group 'faculty' to no more
# than 20 processes running at once, but allow
# them to increase their own limit temporarily
@faculty soft nproc 20
Let’s see
ulimit
in action with the user
adamh
, given the example
limits.conf
file just shown. First, prove
that user
adamh
cannot create a file larger
than 102400 blocks (100 MB, assuming we’re dealing with blocks that
are each 1 KB in size):
$whoamiadamh
$ulimit –acore file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) 102400
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$dd if=/dev/zero of=largefile bs=1M count=200File size limit exceeded
$ls -lh largefile-rwxrwxrwx 1 root root 100M 2010-01-08 16:09 largefile
The
dd
command used in this
example is attempting to create a 200 MB file by copying the
contents of
/dev/zero
(a
special device that returns zero-valued bytes to all read requests)
to the file
largefile
. It is
doing this by attempting to copy 200 1-megabyte segments. After
dd
has reached 100 MB, the copy is aborted and
the error “File size limit exceeded” appears. An
ls
of the file shows that user
adamh
was allowed to create a 100 MB file, but
no larger. Now
adamh
will use
ulimit
to increase his file size limit to 200
MB and try the command again:
$ulimit -f 204800$ulimit -acore file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) 204800
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$dd if=/dev/zero of=largefile bs=1M count=200200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 13.0589 s, 16.1 MB/s
$ls -lh largefile-rwxrwxrwx 1 root root 200M 2010-01-08 16:14 largefile
This time, the
dd
command completed
without an error, and
adamh
was allowed to
create a 200 MB file. However, if he tries to use
ulimit
to increase the limit beyond the hard
limit, he is denied:
$ulimit -f 204801-bash: ulimit: file size: cannot modify limit: Operation not permitted
On the Exam
Setting limits for users is an often-overlooked activity,
but it will appear on the LPI exam. Be familiar with the format of
the
/etc/security/limits.conf
file and some
of the more common options for
ulimit
. Also
be sure to understand the difference between hard and soft limits
and how those differences affect a user’s ability to use system
resources.