Do That Sudo Voodoo That You Do

In the Implementing Effective Access Control webinar that I did a few days ago, I spent a little time talking about sudo. It’s a pretty cool utility that, I think, is vastly underutilized. With some care, sudo can be the basis for a powerful role-based access control (RBAC) system on Linux.

Sudo is a Linux/UNIX/Mac OS X utility that reduces the need to run as root. Rather than logging in with the root account in order to access priviliged commands and restricted files, you log in with your personal (non-administrative) account and then invoke the sudo program whenever you want to perform an operation that requires root priviliges.

For example, to restart the network, instead of logging in as root and running:

/etc/init.d/network restart

You would log in with your personal account and run:

sudo /etc/init.d/network restart

The sudo command runs the privileged command for you after first consulting its configuration file, /etc/sudoers, to verify that you’re allowed to run the command.

In addition to minimizing the need to share the root password, sudo is also valuable because it performs logging. The command above would result in a log entry being written that identified who (your personal account) performed what operation (the network restart).

While we find that our customers are familiar with sudo, we find that many of them don’t use it. The problem with sudo is that, to use it, you need to carefully design a correspoding /etc/sudoer configuration file. Clearly, you don’t want everyone to be able to perform every privileged operation. You want to design a set of roles, for example:

  • System administrator
  • Database administrator
  • Storage administrator
  • Developer
  • Help desk assistant
  • End user

And then you want to determine what privileged commands will be available to each of these roles. Finally, you need to assign roles to your users.

Adding individual users to /etc/sudoer can be painful. If new employees are being hired and fired frequently, it’s inconvenient to have to push out new versions of this file to all the machines in your network. Although /etc/sudoer allows the referencing of user groups instead individual users, without a centralized authentication system, identifying groups in sudo is no more convenient that identifying individual users. Each time an employee is hired or fired, you’ll need to push out a new /etc/groups file to all of your systems.

This is where our software comes us. Likewise allows Linux/UNIX/Mac OS X machines to authenticate users with the Active Directory credentials. We allow these non-Windows machines to be joined to AD and to perform Kerberos/LDAP based authentication against AD without any local account.

With Likewise, adding/removing employees from AD groups is all done at the central LDAP repository; no file needs to be updated on each participating Linux/UNIX/Mac OS X machine. Additionally, Likewise extends the Microsoft group policy architecture to these non-Windows systems and provides a GP setting for sudo. We can use group policy to distribute sudo configuration files automatically.

The combination of Likewise software and sudo makes it much, much, easier to eliminate the use of privileged accounts by relying on sudo as controlled by AD group memberships.

Strangely enough, there’s no equivalent functionality in Windows. The closest thing to sudo is the ability to runas another user (impersonation). At the shell level, you can right click on an application icon and invoke the Run As… menu item. You can then specify the credentials for an administrator and run an application to which you might not normally have access. With this technique, however, you still need to know the credentials for an administrative account.

At least one third-party implementation of sudo for Windows has been written (this one).

25 Responses to “Do That Sudo Voodoo That You Do”

  1. hey says:

    Taxi moto line
    128 Rue la Boétie
    75008 Paris
    +33 6 51 612 712  

    Taxi moto paris

    Hi there to all, it’s truly a fastidious for me to visit this web page, it includes precious Information.

  2. cannabis oil says:

    I wanted to put you the very little remark to be able to thank you the moment again over the remarkable tactics you have provided on this page. This has been simply surprisingly open-handed with you to offer unhampered precisely what most of us would’ve offered for sale for an ebook to help make some money on their own, particularly seeing that you might have tried it in case you desired. Those suggestions in addition worked to become good way to realize that some people have the identical keenness really like my personal own to realize significantly more when it comes to this matter. I believe there are several more pleasant sessions up front for people who scan your site.

  3. buy viagra says:

    Thank you for your entire labor on this web site. My mom really loves managing investigations and it is obvious why. My partner and i learn all regarding the lively tactic you produce sensible things through your web site and therefore strongly encourage response from website visitors on this theme while our own simple princess is without a doubt understanding so much. Take pleasure in the rest of the year. Your performing a useful job.

  4. I enjoy you because of all of the effort on this blog. Betty delights in carrying out internet research and it’s easy to see why. A lot of people hear all about the compelling form you convey advantageous guidance by means of the blog and attract contribution from other individuals about this area and my child has always been becoming educated a great deal. Enjoy the remaining portion of the new year. You’re carrying out a brilliant job.

  5. I enjoy you because of all of your hard work on this web page. My aunt really likes going through investigations and it’s really obvious why. Most of us learn all of the lively method you offer practical strategies through this web site and even increase participation from some other people on the issue so our favorite girl is in fact learning a lot of things. Take advantage of the rest of the year. You are always doing a really good job.

  6. My spouse and i felt now fulfilled that Ervin could deal with his investigations out of the ideas he got out of the web page. It’s not at all simplistic to just choose to be giving freely instructions that many other folks have been selling. And we also figure out we have the website owner to be grateful to for that. The entire explanations you have made, the simple site menu, the friendships you can give support to engender – it’s got everything fantastic, and it’s really facilitating our son and the family feel that the issue is entertaining, and that is incredibly indispensable. Thank you for all the pieces!

  7. I precisely desired to say thanks again. I’m not certain the things I could possibly have accomplished in the absence of the advice contributed by you about my area. Certainly was a alarming case for me, but being able to see a expert approach you dealt with it forced me to cry for contentment. Extremely grateful for the advice and believe you are aware of a powerful job that you’re accomplishing educating many others all through a blog. I’m certain you’ve never come across all of us.

  8. Mikel Harvey says:

    Thank you a bunch for sharing this with all people you actually know what you’re talking approximately!

    Bookmarked. Kindly additionally consult with my site =).
    We could have a hyperlink change arrangement between us

  9. Today, I went to the beachfront with my children. I found a
    sea shell and gave it to my 4 year old daughter and
    said “You can hear the ocean if you put this to your ear.” She put the shell to
    her ear and screamed. There was a hermit crab inside and it pinched her ear.

    She never wants to go back! LoL I know this is completely off topic but I
    had to tell someone!

  10. Tabatha says:

    Definitely believe that which you said. Your favorite justification appeared to be on the net the
    easiest thing to be aware of. I say to you, I definitely get irked while people consider worries that they just don’t know about.
    You managed to hit the nail upon the top and also defined out the whole
    thing without having side effect , people could take a signal.

    Will likely be back to get more. Thanks

  11. Tara says:

    What’s up, all is going perfectly here and ofcourse every one
    is sharing data, that’s actually excellent, keep up

  12. Hi, I log on to your blogs regularly. Your humoristic style
    is awesome, keep up the good work!

  13. Thanks for your ideas. One thing I have noticed is that banks and financial institutions know the spending habits of consumers and understand that most people max out their credit cards around the holidays. They wisely take advantage of this fact and start flooding your inbox and snail-mail box with hundreds of 0 APR credit card offers soon after the holiday season ends. Knowing that if you are like 98% of the American public, you’ll jump at the chance to consolidate credit card debt and transfer balances to 0 APR credit cards. cccccei – stomach drugs over the counter

  14. Hello there! I know this is kinda off topic but I was wondering which blog platform are you
    using for this website? I’m getting sick and tired of
    Wordpress because I’ve had problems with hackers and I’m looking at alternatives for another platform.
    I would be fantastic if you could point me in the direction of a good platform.

  15. Pretty great post. I simply stumbled upon your weblog and
    wanted to mention that I’ve really enjoyed
    surfing around your weblog posts. After all I will be subscribing to your feed and I’m
    hoping you write again soon!

  16. Very quickly this site will be famous amid all blog viewers, due to it’s fastidious articles or reviews

  17. Delphia says:

    I don’t even know the way I ended up right here, however I believed this post used to be good.
    I do not know who you are but certainly you’re going to a famous blogger should you are not already.

Leave a Reply