sudo on CentOS 6.5 - rharmonson/richtech GitHub Wiki

sudo on CentOS 6.5

Sudo is used to provide a layer of security by permitting user access to execute privileged commands as root without access to root's password. It is far from a perfect solution and requires careful management of sudo's configuration and reviewing /var/logs/security, periodically.

The instructions, below, are intended to get you up and running and disable root ssh access, nothing more. I will provide 'Further Reading' so you can investigate strategies on how to best utilize sudo for you or your organization's requirements.

Installation

  1. Create user 'john' or use an existing user account
# useradd john --password <password>
  1. Configure user john to use 'sudo';
# visudo

Add the following to the appropriate section or end of file. This entry, essentially, gives user john root equivalent privileges using sudo but does prompt for john's password.

john ALL=(ALL)     ALL

  1. Log off then on using user john to validate functionality before moving to next step. Also, please note the convention I am using is to indicate root with '#' and '$' to represent john with sudo when appropriate.

  2. Disable root SSH access.

$ sudo vi /etc/ssh/sshd_config

change

#PermitRootLogin yes

to

PermitRootLogin No

For the changes to take effect immediately, or you can wait until next system restart

$ sudo service sshd restart

Suggestions

In use, I would suggest the following:

  • Use groups, not users
  • Use whitelists versus blacklists
  • Don't grant sudo unless required

Why do I feel blacklists should be avoided? Frankly, I am of the opinion it is impossible to use blacklists and prevent a determine user to circumvent restrictions. Best example I can think of is vi which permits executing commands and, potentially, circumventing your attempts to restrict privileged access.

Additional Reading

Sudo Home

http://www.sudo.ws

Excellent rule of thumb article

http://techglimpse.com/dos-and-donts-of-sudo/

A brief history

http://www.sudo.ws/sudo/history.html

Slides providing an excellent overview

http://www.sudo.ws/sudo/slides/Sudo_SCALE9x.pdf

Read a book. It is good for you.

https://www.michaelwlucas.com/nonfiction/sudo-mastery

Common Options, yeah its ubuntu, get over it.

https://help.ubuntu.com/community/Sudoers

More options

http://superuser.com/questions/735172/how-to-prevent-sudo-users-from-running-specific-commands
⚠️ **GitHub.com Fallback** ⚠️