Fixed the 'sudo' topic.
This commit is contained in:
Robert Krátký
parent
d24c67ff75
commit
f197483475
13 changed files with 99 additions and 83 deletions
|
|
@ -1,29 +0,0 @@
|
|||
= Configuring sudo
|
||||
|
||||
include::{md}/concept-what-is-sudo.adoc[leveloffset=+1]
|
||||
|
||||
= How to use sudo
|
||||
|
||||
include::{md}/concept-using-sudo-assign-admin-privileges.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/procedure-using-same-password-for-root-as-user.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/concept-logging-sudo-commands.adoc[leveloffset=+1]
|
||||
|
||||
[[concept-warning-and-caveats]]
|
||||
= Warnings and caveats
|
||||
You must use the `user` account you created following the installation process, at first boot, for daily use and the `root` account only for system administration. Avoid using `root` for any non-administration usage, since the account makes it easy to create security or data risks.
|
||||
|
||||
There are several potential risks to keep in mind when using the [command]`sudo` command. You can avoid them by editing the [filename]`/etc/sudoers` configuration file using [command]`visudo` command.
|
||||
|
||||
include::{md}/concept-sudo-timeout.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/concept-using-sudo-access-docker.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/procedure-run-docker-using-sudo.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/concept-using-sudo-without-password.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
See a typo, something missing or out of date, or anything else which can be
|
||||
improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.
|
||||
|
|
@ -1,15 +1,16 @@
|
|||
[id="concept-logging-sudo-commands"]
|
||||
= Logging sudo commands
|
||||
|
||||
Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and command run.
|
||||
Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and the command that was executed.
|
||||
|
||||
For additional logging, use the `pam_tty_audit` module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your [filename]`/etc/pam.d/system-auth` file:
|
||||
|
||||
[subs=quotes]
|
||||
----
|
||||
session required pam_tty_audit.so disable=pattern enable=PATTERN
|
||||
session required pam_tty_audit.so disable=pattern enable=_PATTERN_
|
||||
----
|
||||
|
||||
Replace _PATTERN_ with a comma-separated list of users (and globs, if needed).
|
||||
Replace `_PATTERN_` with a comma-separated list of users (and globs, if needed).
|
||||
|
||||
For example, the following command enables TTY auditing for the root user and disables it for all other users:
|
||||
|
||||
|
|
@ -1,12 +1,14 @@
|
|||
[[concept-sudo-timeout]]
|
||||
= sudo timeout
|
||||
|
||||
By default, [command]`sudo` stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the `/etc/sudoers` configuration file:
|
||||
By default, [command]`sudo` stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the `/etc/sudoers` configuration file:
|
||||
|
||||
[subs=quotes]
|
||||
------------
|
||||
Defaults timestamp_timeout=VALUE
|
||||
Defaults timestamp_timeout=_VALUE_
|
||||
------------
|
||||
Here, _VALUE_ is the desired timeout length in minutes. Setting the value to 0 causes [command]`sudo` to require a password every time.
|
||||
|
||||
Here, `_VALUE_` is the desired timeout length in minutes. Setting the value to 0 causes [command]`sudo` to require a password every time.
|
||||
|
||||
If an account is compromised, an attacker can use [command]`sudo` to open a new shell with administrative privileges.
|
||||
|
||||
|
|
@ -1,24 +1,26 @@
|
|||
[id="concept-using-sudo-assign-admin-privileges"]
|
||||
[id="con_using-sudo-assign-admin-privileges"]
|
||||
= Using sudo to assign administrator privileges
|
||||
|
||||
Add users to the [directory]`/etc/sudoers` configuration file to allow them to use the [command]`sudo` command. For these users, the [command]`sudo` command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.
|
||||
|
||||
The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the [command]`visudo` command to edit the [directory]`/etc/sudoers` configuration file.
|
||||
|
||||
To assign full administrative privileges to a user, type [command]`visudo` and add the following line to the user privilege section after replacing _USERNAME_ with the target user name:
|
||||
To assign full administrative privileges to a user, type [command]`visudo` and add the following line to the user privilege section after replacing `_USERNAME_` with the target user name:
|
||||
|
||||
[subs=quotes]
|
||||
----
|
||||
USERNAME ALL=(ALL) ALL
|
||||
_USERNAME_ ALL=(ALL) ALL
|
||||
----
|
||||
|
||||
This line allows the specified user to use [command]`sudo` from any host and execute any command.
|
||||
|
||||
To allow a user access to specific commands, use the following example after replacing USERS with a target system group:
|
||||
To allow a user access to specific commands, use the following example after replacing `_USERS_` with a target system group:
|
||||
|
||||
[subs=quotes]
|
||||
----
|
||||
%USERS localhost=/usr/sbin/shutdown -h now
|
||||
_%USERS_ localhost=/usr/sbin/shutdown -h now
|
||||
----
|
||||
|
||||
This command allows all members of the _USERS_ system group to issue the [command]`/sbin/shutdown -h` as long as the command is issued from the console.
|
||||
This command allows all members of the `_USERS_` system group to issue the [command]`/sbin/shutdown -h` as long as the command is issued from the console.
|
||||
|
||||
The man page for [command]`sudoers` has a detailed listing of options for this file.
|
||||
|
|
@ -3,10 +3,11 @@
|
|||
|
||||
You can enable `root` access without a password specified, allowing any process on your system to become `root`. Add the following line to your `/etc/sudoers` file:
|
||||
|
||||
[subs=quotes]
|
||||
------------
|
||||
_user_ ALL=(ALL) NOPASSWD: /usr/bin/docker
|
||||
------------
|
||||
|
||||
This will allow _user_ to access docker without a password.
|
||||
This will allow `_user_` to access docker without a password.
|
||||
|
||||
IMPORTANT: For security reasons, it is recommended that you always use *sudo* with a password.
|
||||
IMPORTANT: For security reasons, it is recommended that you always use [command]`sudo` with a password.
|
||||
|
|
@ -1,11 +1,15 @@
|
|||
[id=”concept-what-is-sudo”]
|
||||
= What is `sudo`
|
||||
[id='con_what-is-sudo']
|
||||
= What is sudo
|
||||
|
||||
The [command]`sudo` command allows users to gain administrative or root access. When trusted users precede an administrative command with [command]`sudo`, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
|
||||
|
||||
The [command]`sudo` command allows users to gain administrative or root access. When trusted users precede an administrative command with [command]`sudo`, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
|
||||
Only users listed in the [filename]`/etc/sudoers` configuration file are allowed to use the [command]`sudo` command. The command is executed in the user's shell, not a root shell.
|
||||
|
||||
The syntax for the sudo command is as follows:
|
||||
|
||||
[subs=quotes]
|
||||
----
|
||||
sudo COMMAND
|
||||
sudo _COMMAND_
|
||||
----
|
||||
Replace _COMMAND_ with the command to run as the root user.
|
||||
|
||||
Replace `_COMMAND_` with the command to run as the root user.
|
||||
11
en-US/modules/proc_run-docker-using-sudo.adoc
Normal file
11
en-US/modules/proc_run-docker-using-sudo.adoc
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
[[procedure-run-docker-using-sudo]]
|
||||
= Run Docker using sudo
|
||||
|
||||
. Set up [command]`sudo` as shown in link:con_using-sudo-assign-admin-privileges.html[Using sudo to assign administrator privileges].
|
||||
. Create an alias for running the docker command by adding the following line to your `~/.bashrc` file:
|
||||
+
|
||||
----
|
||||
alias docker="sudo /usr/bin/docker"
|
||||
----
|
||||
+
|
||||
When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.
|
||||
25
en-US/modules/proc_using-same-password-for-root-as-user.adoc
Normal file
25
en-US/modules/proc_using-same-password-for-root-as-user.adoc
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
[id='proc_using-same-password-for-root-as-user']
|
||||
= Using the same password for root as the user account
|
||||
|
||||
If you use a single user desktop, you might find it convenient to configure [command]`sudo`, so you can use the same password to access *root* as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
|
||||
|
||||
. Become the *root* user:
|
||||
+
|
||||
----
|
||||
$ su -
|
||||
----
|
||||
+
|
||||
. Enter the password for the root account when prompted.
|
||||
|
||||
. To use your regular password for the root access, run:
|
||||
+
|
||||
[subs=quotes]
|
||||
----
|
||||
# usermod _USERNAME_ -a -G groupname
|
||||
----
|
||||
+
|
||||
Replace `_USERNAME_` with your account name
|
||||
|
||||
. Log off and back on in order to have access to the group.
|
||||
|
||||
NOTE: When [command]`sudo` prompts you for a password, it expects your user password, not the `root` password.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[[procedure-run-docker-using-sudo]]
|
||||
= Run Docker using [command]`sudo`
|
||||
|
||||
. Set up [command]`sudo` as shown in *Using sudo to give/limit admin privileges*
|
||||
. Create an alias for running the docker command:
|
||||
----
|
||||
alias docker="sudo /usr/bin/docker"
|
||||
----
|
||||
When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
[id=”procedure-using-same-password-for-root-as-user”]
|
||||
= Using the same password for root as the user account
|
||||
|
||||
If you use a single user desktop, you might find it convenient to configure [command]`sudo` so you can use the same password to access `root` as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
|
||||
|
||||
. Become the `root` user:
|
||||
+
|
||||
----
|
||||
$ su -
|
||||
----
|
||||
+
|
||||
. Enter the password for the root account when prompted.
|
||||
|
||||
. To use your regular password for the root access, run:
|
||||
+
|
||||
----
|
||||
# usermod USERNAME -a -G groupname
|
||||
----
|
||||
+
|
||||
Replace _USERNAME_ with your account name
|
||||
|
||||
. Log off and back on in order to have access to the group.
|
||||
|
||||
NOTE: When [command]`sudo` prompts you for a password, it expects your user password, not the `root` password.
|
||||
32
en-US/performing-administration-tasks-using-sudo.adoc
Normal file
32
en-US/performing-administration-tasks-using-sudo.adoc
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
[id='performing-administration-tasks-using-sudo']
|
||||
= Performing administration tasks using sudo
|
||||
|
||||
How to perform tasks requiring *root* privileges without logging in as *root*.
|
||||
|
||||
include::modules/con_what-is-sudo.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
[id='how-to-use-sudo']
|
||||
== How to use sudo
|
||||
|
||||
include::modules/con_using-sudo-assign-admin-privileges.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/proc_using-same-password-for-root-as-user.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/con_logging-sudo-commands.adoc[leveloffset=+2]
|
||||
|
||||
|
||||
[[warning-and-caveats]]
|
||||
== Warnings and caveats
|
||||
|
||||
You must use the user account you created following the installation process, at first boot, for daily use and the *root* account only for system administration. Avoid using *root* for any non-administration usage, since the account makes it easy to create security or data risks.
|
||||
|
||||
There are several potential risks to keep in mind when using the [command]`sudo` command. You can avoid them by editing the [filename]`/etc/sudoers` configuration file using [command]`visudo` command.
|
||||
|
||||
include::modules/con_sudo-timeout.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/con_using-sudo-access-docker.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/proc_run-docker-using-sudo.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/con_using-sudo-without-password.adoc[leveloffset=+2]
|
||||
Loading…
Add table
Add a link
Reference in a new issue