Task I - Using the sudo utility The following task will demonstrate how to use the sudo utility to delegate out certain root privliges without giving the root password. 1) Ensure that the sudo utility is installed on the workstation. # pkginfo | grep SMCsudo application SMCsudo sudo 2) Create a sudo profile that allows the user "bob" access to the snoop command. Substitute "yourhost" with your hostname. # visudo bob hostname=/usr/sbin/snoop 3) Test the sudo configuration by switching to the user "bob" and attempting to run the snoop command without sudo then with sudo. # su - bob $ /usr/sbin/snoop snoop: /dev/hme: Permission denied $ /usr/local/bin/sudo /usr/sbin/snoop We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things: #1) Respect the privacy of others. #2) Think before you type. Password: Using device /dev/hme (promiscuous mode) 4) The user "bob" was able to run the snoop command. Exit out of the user "bob" $ exit Task II - Using sudo aliases. In the following task, you will setup sudo aliases for ease of sudo administration in large network environments. 1) Edit the sudoers file and create the following aliases: # visudo <> # Host alias specification Host_Alias SER=yourhost,yourpartnerhost # User alias specification User_Alias SR=alice,bob # Cmnd alias specification Cmnd_Alias NET=/usr/sbin/snoop,/usr/sbin/ifconfig <> 2) Edit the sudoers file and give the user alias "SR" access to the "SER" host alias and enable them to run the "NET" command alias. # visudo <> SR SER=NET 3) The user "alice" should have access to both the ifconfig and snoop commands because she has been place in the "SR" alias. Switch users over to "alice" and have alice try to plumb a virtual interface on on your primary interface. Was the user "alice" successful? # su - alice $ id uid=1003(alice) gid=1(other) $ /usr/local/bin/sudo /usr/sbin/ifconfig hme0:1 plumb <> $ ifconfig -a lo0: flags=1000849 mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=1000843 mtu 1500 index 2 inet 10.14.1.11 netmask ff000000 broadcast 10.255.255.255 hme0:1: flags=1000842 mtu 1500 index 2 inet 0.0.0.0 netmask 0 Task III - Configuring default sudo behaviors. The following task will utilize the "Defaults" keyword in the visudo file to enable custom logging and extra security measures. 1) Edit the visudo file and create a custom log file for sudo using syslog and the local0 facility. Also edit the file to include a timestamp timeout of "0". Be sure to place these values at the top of the sudoers file. # visudo Defaults timestamp_timeout=0 Defaults syslog=local0 2) Edit the sudoers file and include the user "eve" in the "SR" alias. # visudo <> User_Alias SR=alice,bob,eve <> 3) Edit the /etc/syslog.conf file to tell syslogd to write sudo entries to a file called /var/adm/sudo.log. # vi /etc/syslog.conf <> local0.debug /var/adm/sudo.log. <> # touch /var/adm/sudo.log # chmod 640 /var/adm/sudo.log # /etc/init.d/syslog stop # /etc/init.d/syslog start 3) Switch to the user "eve" and issue th snoop command. # su - eve $ /usr/local/bin/sudo /usr/sbin/snoop <> Password: Using device /dev/hme (promiscuous mode) 4) Exit out of the snoop command as user eve and run the snoop command again. Notice that the sudo utility will prompt the user eve for a password. This is because the default timestamp of 5 minutes has been changed to 0 minutes in the sudoers file. Every time any user issues the sudo command, the user will be prompted for a password. $ /usr/local/bin/sudo /usr/sbin/snoop <> Password: Using device /dev/hme (promiscuous mode) 5) Exit out of the user eve and check the /var/adm/sudo.log file for the sudo entry. # more /var/adm/sudo.log Aug 1 19:51:47 chiefhosa sudo: [ID 850335 local0.notice] eve : TTY=pts/3 ; PWD=/etc/init.d ; USER=root ; COMMAND=/usr/sbin/ifconfig