Solved

Switch to sudo

Posted on 2014-04-25
10
589 Views
Last Modified: 2014-04-25
I have been the lone Linux administrator for a couple of years at my office.  We have approx 64 linux servers.

We recently hired two additional junior admin to assist.

In the past it was easy to know who made the changes, since I was the only person with the root password.

Now I would like to change to sudo, so I can track which "admin" is making which changes.  

I would like them to have full root access.  Since I am not familiar with sudo, I was wondering what is the best way to go about this?

Any input would be appreciated.
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 72 total points
ID: 40022938
You can create them  user accounts and grant them administrative privileges....
Grant Users Administrative Privileges

Now that you have a new user on your system, you need to decide if this user should be able to perform administrative tasks with sudo.

If the user you created will be your primary user on the system, you usually want to enable sudo privileges so that you can do routine configuration and maintenance.

We give users access to the sudo command with the visudo command. If you have not assigned additional privileges to any user yet, you will need to be logged in as root to access this command:

visudo

Open in new window

This will open the sudoers file in the vi editor

This file will look something like this..
# User privilege specification
root    ALL=(ALL:ALL) ALL

You can add the line...
newuser    ALL=(ALL:ALL) ALL

Save and quit, now the user's will have their own account with administrative privileges.
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40022944
I think the best way to track them is to grant sudo privilegies to their own users, so you can see who did any task in the logs, check this link that explains how to do it on Debian and derivated distros:

How To Add, Delete, and Grant Sudo Privileges to Users on a Debian VPS

You can create a script to add those users with privilegies on all the servers.

If you need it for other distro, just tell me.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40022954
... or make the new admins members of a special group. Your "sudoers" file (and probably your OS as well) should have a predefined group "wheel" for that purpose.

Look for an entry like this in the sudoers file (use "visudo" as suggested):

%wheel ALL=(ALL) ALL

If there is a comment sign in front ("#") remove it, then save the sudoers file. If there is no such line add it.

Now check your OS if there is a group "wheel". If there isn't  such a group, add it.

Make the concerned users members of that group and you're done.

Please remember that the users must prefix any command to be run under root priviliges with "sudo", e.g.:

sudo passwd savone

wmp
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 
LVL 23

Author Comment

by:savone
ID: 40022986
I am sorry, I should have been clear.  We all do have our own accounts since remote root access if disabled.  So we do log in as ourselves then switch to root for admin.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40023035
>> We all do have our own accounts <<

No problem. Just add the group "wheel" to the user's group set:

usermod -a -G wheel savone
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40023146
That's why we said to change your own accounts privilegies, to stop using the root user, so the logs will reflect the changes you made with each one and be easy to track their actions. Then, you will have to change the root user password to prevent the Junior Admins to keep using it.
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 71 total points
ID: 40023150
How much tracking do you want to do?  Do you want to disable the su command too?  A whole lot of people would just run sudo su to become root anyway.   That defeats the logging, except for the initial sudo su.  You would only be able to correlate the time frame of the changes want's they do that.  Once you've entered a shell, there's no sudo tracking.

Here are 2 other ways to enter a root shell:
sudo -s
sudo bash


If you want to exclude su and bash, you would add them like this.
wheel ALL=(ALL) ALL, !/bin/su, !/bin/bash

Unfortunately, this will exclude the junior admins ability to su to user accounts too, which will prevent account management access.  You could also sudo emacs or sudo vi and enter shells from them.

Sudo tracking is easier when giving users privileges to individual commands, but it's not really meant for detailed tracking of root usage.
Here's an example to give the webmasters group access to httpd so they can restart apache.
webmasters ALL=(ALL) /etc/init.d/httpd

or giving someone MySQL access
MySQLadmins ALL=(ALL) /usr/bin/mysql,/usr/bin/mysqlcheck,/usr/bin/mysqld

http://www.onlamp.com/pub/a/bsd/2002/09/12/Big_Scary_Daemons.html?page=2

The real solution is to have sudo and also have your junior admins document changes they've made.  My current place requires us to update a weekly internal wiki.  When you get into a larger group, you'll need documentation, and a sign off before allowing the junior admins access to change it.  You'd have to reprimand them for not following procedure and fire them for failing to do it too many times.
0
 
LVL 23

Author Comment

by:savone
ID: 40023578
Thanks for all the information, one more question.

I see that the /etc/sudoers file should be edited by using visudo.  

BUT, we have 60+ systems now which is growing fast.  I would like to centrally manage this file on my REDHAT Satellite server and push the /etc/sudoers file out to each server.  This way if we need to add sudo access, or remove it, we can change it in one place.

Can I do this, or will it cause issues?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 214 total points
ID: 40023594
This is possible, of course. "visudo" does syntax checking, so it's the preferred tool to edit the sudoers file, but once the file looks as desired you can deploy it to other servers without problems. Just take care to leave the permissions (0440) and ownership (root/UID 0) intact.

You can even restrict settings in sudoers to be valid on certain hosts/host groups only, so even if different hosts must be treated differently this can be achieved with a single sudoers file.

See the rather informative manpage of "sudoers", or here:
http://www.sudo.ws/sudoers.man.html
0
 
LVL 23

Author Closing Comment

by:savone
ID: 40023633
Thanks everybody, I did not want to single out one answer as all of you were helpful.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question