Solved

Switch to sudo

Posted on 2014-04-25
10
528 Views
Last Modified: 2014-04-25
I have been the lone Linux administrator for a couple of years at my office.  We have approx 64 linux servers.

We recently hired two additional junior admin to assist.

In the past it was easy to know who made the changes, since I was the only person with the root password.

Now I would like to change to sudo, so I can track which "admin" is making which changes.  

I would like them to have full root access.  Since I am not familiar with sudo, I was wondering what is the best way to go about this?

Any input would be appreciated.
0
Comment
Question by:savone
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 72 total points
ID: 40022938
You can create them  user accounts and grant them administrative privileges....
Grant Users Administrative Privileges

Now that you have a new user on your system, you need to decide if this user should be able to perform administrative tasks with sudo.

If the user you created will be your primary user on the system, you usually want to enable sudo privileges so that you can do routine configuration and maintenance.

We give users access to the sudo command with the visudo command. If you have not assigned additional privileges to any user yet, you will need to be logged in as root to access this command:

visudo

Open in new window

This will open the sudoers file in the vi editor

This file will look something like this..
# User privilege specification
root    ALL=(ALL:ALL) ALL

You can add the line...
newuser    ALL=(ALL:ALL) ALL

Save and quit, now the user's will have their own account with administrative privileges.
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40022944
I think the best way to track them is to grant sudo privilegies to their own users, so you can see who did any task in the logs, check this link that explains how to do it on Debian and derivated distros:

How To Add, Delete, and Grant Sudo Privileges to Users on a Debian VPS

You can create a script to add those users with privilegies on all the servers.

If you need it for other distro, just tell me.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40022954
... or make the new admins members of a special group. Your "sudoers" file (and probably your OS as well) should have a predefined group "wheel" for that purpose.

Look for an entry like this in the sudoers file (use "visudo" as suggested):

%wheel ALL=(ALL) ALL

If there is a comment sign in front ("#") remove it, then save the sudoers file. If there is no such line add it.

Now check your OS if there is a group "wheel". If there isn't  such a group, add it.

Make the concerned users members of that group and you're done.

Please remember that the users must prefix any command to be run under root priviliges with "sudo", e.g.:

sudo passwd savone

wmp
0
 
LVL 23

Author Comment

by:savone
ID: 40022986
I am sorry, I should have been clear.  We all do have our own accounts since remote root access if disabled.  So we do log in as ourselves then switch to root for admin.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 214 total points
ID: 40023035
>> We all do have our own accounts <<

No problem. Just add the group "wheel" to the user's group set:

usermod -a -G wheel savone
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 143 total points
ID: 40023146
That's why we said to change your own accounts privilegies, to stop using the root user, so the logs will reflect the changes you made with each one and be easy to track their actions. Then, you will have to change the root user password to prevent the Junior Admins to keep using it.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 71 total points
ID: 40023150
How much tracking do you want to do?  Do you want to disable the su command too?  A whole lot of people would just run sudo su to become root anyway.   That defeats the logging, except for the initial sudo su.  You would only be able to correlate the time frame of the changes want's they do that.  Once you've entered a shell, there's no sudo tracking.

Here are 2 other ways to enter a root shell:
sudo -s
sudo bash


If you want to exclude su and bash, you would add them like this.
wheel ALL=(ALL) ALL, !/bin/su, !/bin/bash

Unfortunately, this will exclude the junior admins ability to su to user accounts too, which will prevent account management access.  You could also sudo emacs or sudo vi and enter shells from them.

Sudo tracking is easier when giving users privileges to individual commands, but it's not really meant for detailed tracking of root usage.
Here's an example to give the webmasters group access to httpd so they can restart apache.
webmasters ALL=(ALL) /etc/init.d/httpd

or giving someone MySQL access
MySQLadmins ALL=(ALL) /usr/bin/mysql,/usr/bin/mysqlcheck,/usr/bin/mysqld

http://www.onlamp.com/pub/a/bsd/2002/09/12/Big_Scary_Daemons.html?page=2

The real solution is to have sudo and also have your junior admins document changes they've made.  My current place requires us to update a weekly internal wiki.  When you get into a larger group, you'll need documentation, and a sign off before allowing the junior admins access to change it.  You'd have to reprimand them for not following procedure and fire them for failing to do it too many times.
0
 
LVL 23

Author Comment

by:savone
ID: 40023578
Thanks for all the information, one more question.

I see that the /etc/sudoers file should be edited by using visudo.  

BUT, we have 60+ systems now which is growing fast.  I would like to centrally manage this file on my REDHAT Satellite server and push the /etc/sudoers file out to each server.  This way if we need to add sudo access, or remove it, we can change it in one place.

Can I do this, or will it cause issues?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 214 total points
ID: 40023594
This is possible, of course. "visudo" does syntax checking, so it's the preferred tool to edit the sudoers file, but once the file looks as desired you can deploy it to other servers without problems. Just take care to leave the permissions (0440) and ownership (root/UID 0) intact.

You can even restrict settings in sudoers to be valid on certain hosts/host groups only, so even if different hosts must be treated differently this can be achieved with a single sudoers file.

See the rather informative manpage of "sudoers", or here:
http://www.sudo.ws/sudoers.man.html
0
 
LVL 23

Author Closing Comment

by:savone
ID: 40023633
Thanks everybody, I did not want to single out one answer as all of you were helpful.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now