Solved

Switch to sudo

Posted on 2014-04-25
10
584 Views
Last Modified: 2014-04-25
I have been the lone Linux administrator for a couple of years at my office.  We have approx 64 linux servers.

We recently hired two additional junior admin to assist.

In the past it was easy to know who made the changes, since I was the only person with the root password.

Now I would like to change to sudo, so I can track which "admin" is making which changes.  

I would like them to have full root access.  Since I am not familiar with sudo, I was wondering what is the best way to go about this?

Any input would be appreciated.
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 72 total points
ID: 40022938
You can create them  user accounts and grant them administrative privileges....
Grant Users Administrative Privileges

Now that you have a new user on your system, you need to decide if this user should be able to perform administrative tasks with sudo.

If the user you created will be your primary user on the system, you usually want to enable sudo privileges so that you can do routine configuration and maintenance.

We give users access to the sudo command with the visudo command. If you have not assigned additional privileges to any user yet, you will need to be logged in as root to access this command:

visudo

Open in new window

This will open the sudoers file in the vi editor

This file will look something like this..
# User privilege specification
root    ALL=(ALL:ALL) ALL

You can add the line...
newuser    ALL=(ALL:ALL) ALL

Save and quit, now the user's will have their own account with administrative privileges.
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40022944
I think the best way to track them is to grant sudo privilegies to their own users, so you can see who did any task in the logs, check this link that explains how to do it on Debian and derivated distros:

How To Add, Delete, and Grant Sudo Privileges to Users on a Debian VPS

You can create a script to add those users with privilegies on all the servers.

If you need it for other distro, just tell me.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40022954
... or make the new admins members of a special group. Your "sudoers" file (and probably your OS as well) should have a predefined group "wheel" for that purpose.

Look for an entry like this in the sudoers file (use "visudo" as suggested):

%wheel ALL=(ALL) ALL

If there is a comment sign in front ("#") remove it, then save the sudoers file. If there is no such line add it.

Now check your OS if there is a group "wheel". If there isn't  such a group, add it.

Make the concerned users members of that group and you're done.

Please remember that the users must prefix any command to be run under root priviliges with "sudo", e.g.:

sudo passwd savone

wmp
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 23

Author Comment

by:savone
ID: 40022986
I am sorry, I should have been clear.  We all do have our own accounts since remote root access if disabled.  So we do log in as ourselves then switch to root for admin.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40023035
>> We all do have our own accounts <<

No problem. Just add the group "wheel" to the user's group set:

usermod -a -G wheel savone
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40023146
That's why we said to change your own accounts privilegies, to stop using the root user, so the logs will reflect the changes you made with each one and be easy to track their actions. Then, you will have to change the root user password to prevent the Junior Admins to keep using it.
0
 
LVL 29

Assisted Solution

by:serialband
serialband earned 71 total points
ID: 40023150
How much tracking do you want to do?  Do you want to disable the su command too?  A whole lot of people would just run sudo su to become root anyway.   That defeats the logging, except for the initial sudo su.  You would only be able to correlate the time frame of the changes want's they do that.  Once you've entered a shell, there's no sudo tracking.

Here are 2 other ways to enter a root shell:
sudo -s
sudo bash


If you want to exclude su and bash, you would add them like this.
wheel ALL=(ALL) ALL, !/bin/su, !/bin/bash

Unfortunately, this will exclude the junior admins ability to su to user accounts too, which will prevent account management access.  You could also sudo emacs or sudo vi and enter shells from them.

Sudo tracking is easier when giving users privileges to individual commands, but it's not really meant for detailed tracking of root usage.
Here's an example to give the webmasters group access to httpd so they can restart apache.
webmasters ALL=(ALL) /etc/init.d/httpd

or giving someone MySQL access
MySQLadmins ALL=(ALL) /usr/bin/mysql,/usr/bin/mysqlcheck,/usr/bin/mysqld

http://www.onlamp.com/pub/a/bsd/2002/09/12/Big_Scary_Daemons.html?page=2

The real solution is to have sudo and also have your junior admins document changes they've made.  My current place requires us to update a weekly internal wiki.  When you get into a larger group, you'll need documentation, and a sign off before allowing the junior admins access to change it.  You'd have to reprimand them for not following procedure and fire them for failing to do it too many times.
0
 
LVL 23

Author Comment

by:savone
ID: 40023578
Thanks for all the information, one more question.

I see that the /etc/sudoers file should be edited by using visudo.  

BUT, we have 60+ systems now which is growing fast.  I would like to centrally manage this file on my REDHAT Satellite server and push the /etc/sudoers file out to each server.  This way if we need to add sudo access, or remove it, we can change it in one place.

Can I do this, or will it cause issues?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 214 total points
ID: 40023594
This is possible, of course. "visudo" does syntax checking, so it's the preferred tool to edit the sudoers file, but once the file looks as desired you can deploy it to other servers without problems. Just take care to leave the permissions (0440) and ownership (root/UID 0) intact.

You can even restrict settings in sudoers to be valid on certain hosts/host groups only, so even if different hosts must be treated differently this can be achieved with a single sudoers file.

See the rather informative manpage of "sudoers", or here:
http://www.sudo.ws/sudoers.man.html
0
 
LVL 23

Author Closing Comment

by:savone
ID: 40023633
Thanks everybody, I did not want to single out one answer as all of you were helpful.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question