Here is part two of the Escalating User Privileges topic. Have a nice reading.
The /etc/sudoers File
This file contains the policy rules that grant certain users and groups the rights to execute certain commands.
Contents of the File
The /etc/sudoers file consists of two main sets of configuration entries:
- Aliases Definitions.
- Privileges Specification Rules.
Aliases Definitions
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.
Each alias definition is of the form:
Alias_Type NAME = item1, item2, ...
Where
Alias_Type could be one of the four types User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.
NAME is a string starting with an uppercase letter, and may contain (besides to uppercase
Letters) numbers and underscores.
For example, to define a command alias that contains a set of network administrative commands:
Cmnd_Alias NETWORKING1 = /sbin/ifup, /sbin/ifdown, /usr/sbin/system-config-network
To define a user alias that contains the usernames for the Network admins team:
User_Alias NETADMINS = ahmed, suzan, ashraf
Note: –
To edit the /etc/sudoers file, it is strongly recommended not to edit it using the normal vi/vim utility. A special tool called visudo that is designed for this specific purpose should be used instead.
visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. If there is an error, visudo will print a message stating the line number(s) where the error occurred.
Privileges Specification Rules
A user specification rule determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as root, but this can be changed on a per-command basis.
Synatx
The basic structure of a user specification rule is:
who where = (as_whom) what
Examples
- To grant the network admins team the privileges to run on all machines as root the networking administrative commands specified above:
NETADMINS ALL=(ALL) NETWORKING1
- To grant the user sheriff full privileges on the system:
sherif ALL=(ALL) ALL
- To grant the sysadmins group full privileges on the system without enforcing the user to type a password:
%FULLTIMERS ALL=(ALL) NOPASSWD: ALL
Summary
- The /etc/sudoers file contains the policy rules that grant certain users and groups the rights to execute certain commands.
- It is recommended to use the special visudo editor to edit the /etc/sudoers, as it checks syntax before allowing the user to save any modifications.
- The /etc/sudoers file consists of two main sets of configuration entries: Aliases Definitions and Privileges Specification Rules.
That is it for Privilege Escalation.
In the next article, we will talk about File Security in Linux. You will be introduced to Users and Groups Ownership and Permissions on Files and Directories. An important article to wait for; so don’t go anywhere. We won’t be late.
