- Mastering Linux Security and Hardening
- Donald A. Tevault
- 459字
- 2021-07-02 19:19:21
Hands-on lab for assigning limited sudo privileges
In this lab, you'll create some users and assign them different levels of privileges. To simplify things, we'll use the CentOS virtual machine.
- Log in to the CentOS virtual machine and create user accounts for Lionel, Katelyn, and Maggie:
sudo useradd lionel
sudo ueradd katelyn
sudo useradd maggie
sudo passwd lionel
sudo passwd katelyn
sudo passwd maggie
- Open visudo:
sudo visudo
Find the STORAGE command alias and remove the comment symbol from in front of it.
- Add the following lines to the end of the file, using tabs to separate the columns:
lionel ALL=(ALL) ALL
katelyn ALL=(ALL) /usr/bin/systemctl status sshd
maggie ALL=(ALL) STORAGE
Save the file and exit visudo.
- To save time, we'll use su to log into the different user accounts. You won't need to log out of your own account to perform these steps. First, log in to Lionel's account and verify that he has full sudo privileges by running several root-level commands:
su - lionel
sudo su -
exit
sudo systemctl status sshd
sudo fdisk -l
exit
- This time, log in as Katelyn and try to run some root-level commands. (Don't be too disappointed if they don't all work, though.)
su - katelyn
sudo su -
sudo systemctl status sshd
sudo systemctl restart sshd
sudo fdisk -l
exit
- Finally, log in as Maggie, and run the same set of commands that you ran for Katelyn.
- Keep in mind that although we only had three inpidual users for this lab, you could just as easily have handled more users by setting them up in user aliases or Linux groups.
Since sudo is such a great security tool, you would think that everyone would use it, right? Sadly, that's not the case. Pretty much any time you look at either a Linux tutorial website or a Linux tutorial YouTube channel, you'll see the person who's doing the demo logged in at the root user command prompt. In some cases, I've seen the person remotely logged in as the root user on a cloud-based virtual machine. Now, if logging in as the root user is already a bad idea, then logging in across the internet as the root user is an even worse idea. In any case, seeing everybody do these tutorial demos from the root user's shell drives me absolutely crazy.
Having said all this, there are some things that don't work with sudo. Bash shell internal commands, such as cd don't work with it, and injecting kernel values into the /proc filesystem also doesn't work with it. For tasks such as these, a person would have to go to the root command prompt. Still though, make sure that only users who absolutely have to use the root user command prompt have access to it.
- 網(wǎng)絡(luò)安全與管理
- 科技安全:戰(zhàn)略實(shí)踐與展望
- 計(jì)算機(jī)網(wǎng)絡(luò)安全技術(shù)(第6版·慕課版)
- API安全實(shí)戰(zhàn)
- 為你護(hù)航:網(wǎng)絡(luò)空間安全科普讀本(第2版)
- 大型互聯(lián)網(wǎng)企業(yè)安全架構(gòu)
- 計(jì)算機(jī)病毒分析與防范大全(第3版)
- Preventing Digital Extortion
- .NET安全攻防指南(上冊(cè))
- 網(wǎng)絡(luò)運(yùn)維親歷記 (網(wǎng)絡(luò)運(yùn)維紀(jì)實(shí)文學(xué))
- Testing and Securing Android Studio Applications
- 云原生安全與DevOps保障
- 物聯(lián)網(wǎng)安全滲透測(cè)試技術(shù)
- 編譯與反編譯技術(shù)實(shí)戰(zhàn)
- 數(shù)據(jù)保護(hù):工作負(fù)載的可恢復(fù)性