Linux Privilege Granting

Introduction

In Linux systems, managing user permissions and access control is a fundamental aspect of system administration and security. The sudo command, short for "superuser do," allows authorized users to execute commands with elevated privileges, typically those of the superuser or root account.

This lab will guide you through the process of granting and restricting privileges to users in a Linux environment. You will learn how to add users to the sudo group, enabling them to perform administrative tasks, and how to limit their permissions to specific commands. These skills are essential for maintaining secure systems where access to sensitive operations needs to be carefully controlled.

Understanding User Management and sudo Basics

In this step, you will learn about user management in Linux and the basics of the sudo command. You will create a new user and understand how to grant them administrative privileges.

What is sudo?

The sudo command allows authorized users to execute commands with the security privileges of another user, typically the superuser (root). This provides a way to perform administrative tasks without logging in as the root user, which is considered a security best practice.

Creating a New User

Let's start by creating a new user account. Open your terminal and execute the following command:

sudo adduser trusted_advisor

You will be prompted to enter a password and some optional information for the new user. For this lab, you can set a simple password like password123 and leave the other fields blank by pressing Enter.

The output should look similar to this:

Adding user `trusted_advisor' ...
Adding new group `trusted_advisor' (1001) ...
Adding new user `trusted_advisor' (1001) with group `trusted_advisor' ...
Creating home directory `/home/trusted_advisor' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for trusted_advisor
Enter the new value, or press ENTER for the default
 Full Name []:
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n] Y

Checking User Information

To verify that the user was created successfully, you can examine the contents of the /etc/passwd file:

grep trusted_advisor /etc/passwd

This should display a line containing the user information.

Granting sudo Privileges

To grant a user sudo privileges, you need to add them to the sudo group. In Ubuntu, members of the sudo group are allowed to use the sudo command. Execute the following command:

sudo usermod -aG sudo trusted_advisor

This command adds (-a) the user trusted_advisor to the sudo group (-G sudo). The user will now be able to execute commands with administrative privileges.

Verifying sudo Access

To verify that the new user has sudo access, you can switch to that user account and try to list the contents of the /root directory, which is normally accessible only to the root user:

su - trusted_advisor

When prompted, enter the password you set for this user. Then execute:

sudo ls /root

You will be prompted for the password again (first-time sudo usage). After entering it, you should see the contents of the /root directory, which confirms that the user has sudo privileges.

Finally, exit the trusted_advisor user session to return to your original user:

exit

Limiting sudo Access with the sudoers File

In this step, you will learn how to restrict a user's sudo privileges to specific commands using the sudoers file. This implements the principle of least privilege, which states that users should only have the minimum privileges necessary to perform their tasks.

Understanding the sudoers File

The /etc/sudoers file controls who can use the sudo command and what commands they can run. This file should never be edited directly with a regular text editor, as syntax errors could lock you out of the system. Instead, always use the visudo command, which checks for syntax errors before saving.

Editing the sudoers File

To edit the sudoers file safely, use the visudo command:

sudo visudo

This will open the sudoers file in the default editor (usually nano or vi).

Understanding sudoers Syntax

The basic syntax for a sudo entry in the sudoers file is:

user_or_group    host=(run_as_user:run_as_group)    NOPASSWD: commands

Where:

• user_or_group: The user or group this rule applies to
• host: The hostname where this rule applies (usually ALL)
• run_as_user: The user that commands will be executed as (usually ALL, meaning root)
• run_as_group: The group that commands will be executed as (can be omitted)
• NOPASSWD: Optional tag that allows commands to be run without entering a password
• commands: The specific commands that can be executed with sudo

Adding Restricted sudo Access

Scroll to the end of the file and add the following line to grant trusted_advisor permissions to run only the cp and mv commands without password:

trusted_advisor ALL=(ALL) NOPASSWD: /bin/cp, /bin/mv

To save the file in nano, press Ctrl+O, then Enter, and to exit, press Ctrl+X.

Testing the Restricted sudo Access

Now let's test if the restricted sudo access works as expected. First, let's create a test file in the current directory:

echo "This is a test file" > important_file.txt

Now, switch to the trusted_advisor user:

su - trusted_advisor

Enter the password when prompted.

Try copying the file to the root directory, which should be allowed:

sudo cp /home/labex/project/important_file.txt /root/

This should succeed without asking for a password.

Now, try to run a command that is not in the allowed list, such as cat:

sudo cat /root/important_file.txt

You should get a permission denied error because cat is not in the allowed list of commands.

Finally, verify that the file was copied to the root directory:

sudo ls /root/

You should see important_file.txt in the output.

Exit the trusted_advisor user session:

exit

Removing the Test File

To clean up, remove the test file:

sudo rm important_file.txt

Understanding sudo Logs and Security Considerations

In this step, you will learn about sudo logging and security best practices. Monitoring sudo usage is important for security and audit purposes.

sudo Logging

When users execute commands with sudo, these actions are logged. This provides an audit trail that can be useful for security monitoring and troubleshooting.

On Ubuntu, sudo logs are typically stored in the system's authentication log at /var/log/auth.log. Let's examine recent sudo activities:

sudo grep sudo /var/log/auth.log | tail -n 10

This command displays the last 10 sudo-related log entries. The output should include timestamps, usernames, and the commands that were executed with sudo.

Security Best Practices for sudo

Here are some best practices for managing sudo privileges:

1. Principle of Least Privilege: Users should only have the minimum privileges necessary to perform their tasks.

2. Use Specific Commands: Instead of granting full sudo access, specify exactly which commands a user can run.

3. Set Password Requirements: For sensitive operations, ensure that users must enter their password when using sudo.

4. Regular Auditing: Periodically review sudo logs and the sudoers file to ensure proper configuration.

5. Remove Unnecessary Access: When users no longer need elevated privileges, promptly remove them from the sudo group.

Removing sudo Access

If a user no longer needs sudo privileges, you can remove them from the sudo group:

sudo deluser trusted_advisor sudo

Verify that the user is no longer in the sudo group:

groups trusted_advisor

The output should no longer include "sudo" in the list of groups.

Testing Revoked sudo Access

Let's verify that the user can no longer execute commands with sudo:

su - trusted_advisor

Enter the password when prompted.

Try to run a command with sudo:

sudo ls /root

You should now receive a permission denied error.

Exit the trusted_advisor user session:

exit

Adding Back sudo Access

For the purpose of this lab, let's add the user back to the sudo group:

sudo usermod -aG sudo trusted_advisor

Verify that the user is now in the sudo group again:

groups trusted_advisor

The output should now include "sudo" in the list of groups.

Summary

In this lab, you learned essential Linux user management and privilege control techniques. You gained hands-on experience with the following concepts and operations:

1. Creating Users: You learned how to create new user accounts using the adduser command.

2. Granting sudo Privileges: You discovered how to give users administrative capabilities by adding them to the sudo group.

3. Restricting sudo Access: You practiced implementing the principle of least privilege by limiting a user's sudo access to specific commands using the sudoers file.

4. sudo Logging and Monitoring: You explored how sudo activities are logged and the importance of monitoring these logs for security purposes.

5. Managing sudo Access: You learned how to add and remove sudo privileges from users as needed.

These skills are fundamental for Linux system administration and security. By properly managing user privileges, you can maintain a secure system where users have access to the resources they need without compromising system integrity or security.