Pppcloud Linux user security management in cloud Host 2

Superuser Privileges and Authorization

Create multiple Super users

Many new system administrators think that the root user is the only superuser, in fact, Root is only the system's default superuser name, root is not because it is called Root to become superuser. Just open an example of a/etc/passwd file, and you'll find the following lines:

Root:asiewhgyfaoo/j:0:0:root:/root:/bin/tcsh
Bin:*:1:1:bin:/bin:
Daemon:*:2:2:daemon:/sbin:
Lanf:yuao56ioyefg:0:0:bluewind:/home/bluewind:/bin/bash
Jake:guyfaiiodashfj:501:501:jake cheng:/home/jake:/bin/tcsh
Apache:!! : 502:502::/usr/local/apache:/bin/false

As you can see, the UID and GID of root are set to 0. In fact, the necessary and sufficient condition for superuser is that both UID and GID are equal to 0. In other words, any user, as long as its UID and GID are 0, and is often referred to as root super User is no different. For example, the lanf in the above example is also a super user.

Therefore, you can turn any ordinary user into a super user. However, this does not benefit, many times this will increase the hidden danger of the system. Unless you need more than one system administrator to manage the same system in your organization, you need to have more than one Super user account. This facilitates the individual administrator's clear responsibility to know what different people have done separately through the logs.

In another case, there may be multiple super user accounts, that is, after the hacker set up a user who looks like a normal account, but modified the UID and GID to make it 0. This allows you to perform superuser privileges without having to know the root user password at all. And from the side of our system administrator, we can't always be aware of the changes in passwd files, without that time and without that energy. Then you have to write a script to help monitor, for example:

/bin/grep ' 0:0 '/etc/passwd |awk ' begin{fs= ': '}
{print "} ' |mail–s" ' Date + "%d%t" ' "root

This is a very small script that uses some general commands to view the/etc/passwd file, sending the UID and GID 0 lines to the root user. Put this script in the/etc/cron.daily file for Cron to run, and Root will receive a letter every day to report the current super user.

In fact, due to the limitations of PAM (pluggable authentication module), the superuser is not allowed to log on Telnet, that is, after the hacker modified his UID and GID, want to land again to get superuser privileges, do not modify the/etc/seuretty file is not possible- Unless you're stupid enough to add the pseudo-TTY device root user login permission. Generally allows the super-user to use the ordinary user account login, and then SU (SU command related content, please refer to the Site Command Query section).

Assigning privileges to ordinary users

Use the sudo command to allow a normal user to perform commands that the Superuser can execute. Whether trust-based building takes time, or whether it is necessary, we do not allow all the privileges of the superuser to be easily permitted. This is the principle of network management work. So, when some users have to access certain content, we can configure sudo to allow individual ordinary users to run privileged commands.

The sudo command allows a user who has already been specified in the/etc/sudoers file to run the Superuser command. For example, a normal user who has already been licensed can run:

sudo vi/etc/passwd

In fact, the configuration of sudo allows us to specify what the normal user of a/etc/sudoers file can and cannot do. The configuration line for/etc/sudoers is as follows:

> Empty lines or comment lines (preceded by a # character): Useless rows.

> Optional Host alias line: the short name used to create a list of hosts. You must start with a host_alias keyword, and the hosts in the list must be separated by commas. For example:

Host_alias REDHAT=BINBU,QD

where Binbu and QD are two host names, you can use Redhat (aliases) to collectively refer to them.

> Optional User alias line: The short name used to create a list of users. The user alias line must begin with the User_alias keyword, and the user names in the list must be separated by commas. Its format is the same as the host alias line.

> Optional Command alias line: the short name used to create a list of commands. You must start with Cmnd_alias, and the commands in the list must be separated by commas.

> Optional Run as Alias Line: is also the short name used to create a list of users. The difference is that using such an alias can tell the Sudo program to run the program as a user in the list.

> Necessary user Access Description line: The description syntax for user access is as follows:

User host= [Run as user] command list

Specify a real user name or defined alias in user, and the host can be either a real hostname or a defined host alias. By default, all commands that sudo executes are executed as root. If you want to use other identities you can specify. As for command list, it can be a comma separated lists of commands, or it can be an alias that has already been defined. For example:

LANF Binbu=/sbin/shutdown

This sentence indicates that LANF can run the shutdown command on the Binbu host.

Attention:

1. Multiple aliases can be defined on a single line, separated by:

2, can be added before command or command alias! To invalidate the command or command alias.

3, there are two keywords: all and nopasswd. All means "All Files" (all hosts or all commands), nopasswd means no password.

Here is an example of a sudoers file:

#sudoers files
#User alias specification
User_alias Admin=yourid:poweruser=hisid,herid
#user Privilege Specification
ADMIN All=all
PowerUser All=all,!/bin/su

The third line defines two aliases, admin and PowerUser, and line fifth indicates that admin can execute all commands as root on all hosts. Line six gives PowerUser the ability to run the same admin except the SU command.

Pppcloud Linux user security management in cloud Host 2