You are on page 1of 4

Solaris Unlimited: Configuring SUDO on Solaris 10...!!!

Lainnya

http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...

Blog Berikut

Buat Blog

Masuk

Solaris Unlimited
Login... Dig... Share...

Wednesday, December 18, 2013

Configuring SUDO on Solaris 10...!!!


What is SUDO?

Total Pageviews

4 6 0 7 4
About Me

Substitute User Do a normal user is granted a privilege to execute root owned chosen commands (based on the users day today role) reside under
/usr/sbin directory.

Why SUDO?

1. Delegating the chosen root owned commands to a privilege user, reduce the roots load adding the security feature. The privilege user can execute
only the commands granted.

2. If a virus, worm or malicious script tries to run on a Unix system it cannot gain necessary privileges without the user typing sudo. This prevents a lot
of malware from running without notifying the user.

3. Another nice thing about sudo is that I type in MY Password, not roots, to gain the root privileges. So if my account gets compromised, we still have
not compromised the root account.

4. Logs both the successful and failure execution of commands leaving a track for event record.
And now, why SUDO on Solaris 10? Does Solaris 10 opt with such feature?
Yes. Solaris 10 have such a feature RBAC (Role Based Access Control).
SUDO packages has to be downloaded and installed manually in Solaris 10 as it is NOT available on the Solaris 10 OS installation media. (SUDO is
available by default in Solaris 11).
From my perspective, even though RBAC has more feature and secure password (RBAC, Roles do have a password. So user needs login password
and role password to execute the granted commands), administering RBAC is more complex than SUDO.
Only /usr/local/etc/sudoers is the configuration file that has to be configured nor to be modified.
Whereas, RBAC involves with /etc/user_attr, /etc/security/auth_attr, /etc/security/prof_attr and /etc/security
/exec_attr files.

Can download the packages from the link - http://sunfreeware.com/


SUDO packages to be installed on X86:libiconv-1.13.1-sol10-x86-local.gz

Manickam Kamalakkannan
Follow

8+ Year prociency on Unix Administra@on:


4+ Year Industrial Environment Experience
as Unix Administrator - 4+ Year Prac@ce as a
Unix Instructor - Sun Cer@ed System
Administrator for Solaris 10 OS Red Hat
Cer@ed Engineer (Red Hat Enterprise Linux
6, Red Hat Enterprise Linux 7) ITIL v3
Founda@on Cer@ed - Unlimited Interest in
Learning, Training & Sharing Unix
Administra@ve Assignment.
View my complete prole
Popular Posts

Conguring SUDO on Solaris 10...!!!


What is SUDO? Subs@tute User Do a
normal user is granted a privilege to
execute root owned chosen commands
(based on the users day t...
Solaris : Veritas Volume
Manager : Root Mirroring
Recommenda@ons: 1. The
disk which holds the
Solaris Opera@ng System
and the disk where the opera@ng system
is to be mirrored ...

libgcc-3.4.6-sol10-x86-local.gz
gcc-3.4.6-sol10-x86-local.gz
libintl-3.4.0-sol10-x86-local.gz

Blog Archive

db-4.2.52.NC-sol10-intel-local.gz

2015 (1)

make-3.82-sol10-x86-local.gz
wget-1.12-sol10-x86-local.gz

2014 (1)

sudo-1.7.4p4-sol10-x86-local.gz
TCMsudo-1.7.4p4-i386.pkg.gz
sudo-1.6.9p23.tar
SUDO packages to be installed on SPARC:libiconv-1.13.1-sol10-sparc-local.gz
libgcc-3.4.6-sol10-sparc-local.gz
gcc-3.4.6-sol10-sparc-local.gz
libintl-3.4.0-sol10-sparc-local.gz
db-4.2.52.NC-sol10-sparc-local.gz
make-3.82-sol10-sparc-local.gz
sudo-1.7.4p4-sol10-sparc-local.gz

2013 (7)

December (2)
Conguring RBAC (Role Based Access
Control) on So...
Conguring SUDO on Solaris 10...!!!

August (3)

July (1)

February (1)

2012 (4)

TCMsudo-1.7.4p4-sparc.pkg

2011 (12)

sudo-1.6.9p23.tar
zlib-1.2.5-sol10-sparc-local.gz

2010 (22)

These following 2 packages


1. sudo-1.6.9p23 ( Source Distribution)

Followers

2. TCMsudo-1.7.4p4-i386.pkg (Binary Package)


Can be downloaded from the link - http://www.sudo.ws/sudo/download.html

2009 (14)

Join this site


with Google Friend Connect

Members (106) More

How?
I wish to recommend the downloaded packages to install in the following order
bash-3.00# pkgadd -d libiconv-1.13.1-sol10-x86-local
bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local
bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local

Already a member? Sign in

bash-3.00# pkgadd -d libintl-3.4.0-sol10-x86-local


bash-3.00# pkgadd -d make-3.82-sol10-x86-local
bash-3.00# pkgadd -d db-4.2.52.NC-sol10-intel-local
bash-3.00# pkgadd -d wget-1.12-sol10-x86-local
bash-3.00# pkgadd -d TCMsudo-1.7.4p4-i386.pkg
bash-3.00# pkgadd -d sudo-1.7.4p4-sol10-x86-local

Only after the successful installation of the above 2 packages /usr/local/etc/sudoers file will be generated.

Search This Blog


Search

There was an error in this gadget

bash-3.00# cd sudo-1.6.9p23
bash-3.00# ls configure
configure

1 of 4

Subscribe To

Posts

10/6/15, 11:08 AM

Solaris Unlimited: Configuring SUDO on Solaris 10...!!!

http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...

Comments

Run the configure file by ./configure


bash-3.00# ./configure
On successful installation and execution of ./configure script move to the dir /usr/local/etc to ensure the presence of sudoers and wgetrc file
Set the PATH variable for sudo
bash-3.00# export PATH=$PATH:/usr/local/bin:/usr/local/sbin
To make it permanent make entry in /etc/profile file
To ensure that PATH variable is set
bash-3.00# echo $PATH
/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
Now let us discuss the entries to the /usr/local/etc/sudoers file on order
## User alias specification
##
## Groups of users.

These may consist of user names, uids, Unix groups,

## or netgroups.
# User_Alias

ADMINS = millert, dowdy, mikef

User_Alias SYSADMIN = scbose, malcomx


(Output Truncated)
Where
User_Alias is the key word state that we are defining the user alias names.
SYSADMIN is the user_alias variable
scbose, malcomx are the existing users who have the entry to the local system file /etc/passwd.

Guys, kindly note User_Alias, Cmd_Alias, Host_Alias variable should NOT be same.
## Cmnd alias specification
##
## Groups of commands.
# Cmnd_Alias
#

Often used to group related commands together.

PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \


/usr/bin/pkill, /usr/bin/top

Cmnd_Alias USERADMIN = /usr/sbin/useradd, /usr/bin/passwd, \


/usr/sbin/groupadd, /usr/sbin/gropmod,\
/usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel
Cmd_Alias SYSADMIN_CMDS = /usr/sbin/init, /usr/sbin/shutdown, /usr/sbin/reboot \
/usr/sbin/halt
(Output Truncated)

Where
Cmnd_Alias is the key word state that we are defining the command alias names.
USERAMIN, SYSADMIN_CMDS is the command alias variable.
Command alias variable is mapped with several commands (Here for instance: /usr/sbin/useradd, /usr/bin/passwd,/usr/sbin/groupadd,
/usr/sbin/gropmod, /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel, /usr/sbin/init, /usr/sbin/shutdown,
/usr/sbin/reboot, /usr/sbin/halt).

2 of 4

10/6/15, 11:08 AM

Solaris Unlimited: Configuring SUDO on Solaris 10...!!!

http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...

## User privilege specification


##
root ALL=(ALL) ALL

che ALL=(ALL) ALL


NewUser ALL=/usr/sbin/useradd, /usr/bin/passwd
castro ALL=USERADMIN, SYSADMIN_CMDS
SYSADMIN ALL=SYSADMIN_CMDS
(Output Truncated)

Where
New_User Existing user login name
ALL = Terminals user can execute from
Followed with commands granted to the user to execute, or the command alias (all the commands mapped to the command alias can be executed by the
user).

The syntax is like so:


USER ALL=(ALL) ALL
Where
USER = The user.
ALL = Terminals user can execute from
(ALL) = The users USER can act as.
ALL = The commands USER can run.

Note:

1. By default, sudo command will cache the password for 5 min for each command so its not necessary to enter password again for the same
command until the cache password expires.

2. /etc/sudoers file will be read each time when the command is being executed.
The modification (restricting/adding commands to the existing user) done on the /etc/sudoers file will come into effect immediately.

3. If wished, do not want the user to be asked for their password when running sudo:
USER ALL= (ALL) ALL NO PASSWD: ALL
Possible, but not a good idea! :)

By default all the activity performed through sudo will be logged to /var/adm/messages file.
However, it can be customized. Can sudo logs to a specific file. But make sure that file is created and granted with valid file permissions.
Here, Im customizing the sudo logs to the file : /var/log/sudo_log
# Defaults log_output
Defaults logfile=/var/log/sudo_log
(Output Truncated)

Example log from the /var/adm/messages file:


Dec 17 04:24:05 veritas sudo: [ID 702911 auth.alert]

NewUser : command not allowed ; TTY=pts/8 ; PWD=/export

/home/NewUser ; USER=root ; COMMAND=useradd -m -e /export/home/Jack Jack


Dec 17 04:28:59 veritas sudo: [ID 702911 auth.alert]

castro : command not allowed ; TTY=pts/8 ; PWD=/export

/home/castro_home ; USER=che ; COMMAND=/usr/sbin/useradd -m -d /export/home/Rose Rose


Dec 17 04:30:12 veritas sudo: [ID 702911 auth.alert]

castro : command not allowed ; TTY=pts/8 ; PWD=/export

/home/castro_home ; USER=root ; COMMAND=list


Dec 17 04:32:10 veritas sudo: [ID 702911 auth.alert]
/home/malcomx ; USER=che ; COMMAND=/bin/sh

malcomx : command not allowed ; TTY=pts/7 ; PWD=/export

Dec 17 04:33:07 veritas sudo: [ID 702911 auth.alert]


/home/malcomx ; USER=root ; COMMAND=list

malcomx : command not allowed ; TTY=pts/7 ; PWD=/export

Entry from the customized sudo log file:


Dec 18 01:13:11 : che : TTY=pts/7 ; PWD=/export/home/che_home ; USER=root ; COMMAND=list
Dec 18 01:13:47 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
; COMMAND=list
Dec 18 01:14:40 : castro : command not allowed ; TTY=pts/8 ;
PWD=/export/home/castro_home ; USER=root ; COMMAND=/usr/sbin/useradd -m -d
/export/home/TestUser TestUser
Dec 18 01:46:54 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
; COMMAND=/usr/sbin/useradd -m -d /export/home/TestUser TestUser
Dec 18 01:47:15 : castro : TTY=pts/8 ; PWD=/export/home/castro_home ; USER=root
; COMMAND=/usr/bin/passwd TestUser

From the above logs, its very clear that both the successful and failure events are logged.

To know the granted commands to the user through sudo:


bash-3.00# /usr/local/bin/sudo -l -U malcomx
User malcomx may run the following commands on this host:
(root) SYSADMIN_CMDS

Successful and failure execution of granted commands through sudo:


bash-3.00$ /usr/sbin/useradd -m -d /export/home/Romeo Romeo
UX: /usr/sbin/useradd: ERROR: Permission denied.
bash-3.00$ /usr/local/bin/sudo /usr/sbin/useradd -m -d /export/home/Romeo Romeo
80 blocks
bash-3.00$ /usr/local/bin/sudo /usr/bin/passwd Romeo
New Password:
Re-enter new Password:
passwd: password successfully changed for Romeo

3 of 4

10/6/15, 11:08 AM

Solaris Unlimited: Configuring SUDO on Solaris 10...!!!

http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...

Now I guess that we are bit familiar with configuration of sudo and its features.
Even though RBAC had some hurdle, let me come with RBAC configuration on my next post :)!!!

Posted by Manickam Kamalakkannan at 3:59 AM

+1 Recommend this on Google

Reac@ons:

2 comments:
Anonymous September 25, 2014 at 10:00 AM
Freeware is not working to down load can you sugget a direnet source to dowload the sudo pakages
Reply

Manickam Kamalakkannan

December 14, 2014 at 9:53 AM

Hi Anonymous,
I s@ll able to nd and download the packages from the link.
Please try again.
Try these links too : hhp://sunfreeware.saix.net/
hhp://www.sudo.ws/
Good Luck.
Reply

Comment as:

Publish

Select profile...

Preview

Links to this post


Create a Link
Newer Post

Home

Older Post

Subscribe to: Post Comments (Atom)

Copyright

The contents of this page is not affiliated with Sun Microsystems /Oracle Corporation affiliates. Any tips/information offered up here can be followed at your own risk. I will
not be responsible for any loss of data, time, or any other damage occurred by following any information on this page. They seemed to work for me, but your mileage may
vary.
2009 Manickam Kamalakkannan

Simple template. Powered by Blogger.

4 of 4

10/6/15, 11:08 AM