Assignment: su

Please do this assignment on your local Linux system, not on the class server.

Download su_script.tar.bz2. Become the superuser, and move the file to the /usr/local/bin directory. Then untar it with tar xvjf su_script.tar.bz2. It will create a subdirectory named su_script, which will contain these scripts:

makeusers

Creates four users:

• ckent with password superman
• bwayne with password batman
• george with password washington
• abe with password lincoln

This script won’t give any output when it succeeds.

rmusers

Deletes the users created by the previous script. Run this after you finish the assignment to clean up your user list. You may get error messages about “no crontab”; don’t worry about them.

president

A script that only a president should be able to run.

hero

A script that only superheroes should be able to run.

thankyou

Another script that only superheroes should be able to run.

superuser

A script that only user ckent should be able to run.

(Of course, root can still run anything.)

Type these commands to make sure that only root or someone with sudo privileges can access the scripts:

chmod 700 /usr/local/bin/su_script/*
chown root:root /usr/local/bin/su_script/*

Run the makeusers script to create the users. Then use the visudo command to edit the /etc/sudoers file as follows:

1. Some versions of Linux have an /etc/sudoers file that includes commands that require people using sudo to have the root password. Look for these lines, and if you find them, comment them out. Without those lines, people using sudo use their own password, as advertised in the book.

   Defaults targetpw    # ask for the password of the target user i.e. root
   %users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

2. Create a user alias HERO for ckent and bwayne
3. Create a user alias PRES for george and abe
4. Create a command alias named HEROSCRIPT for the scripts /usr/local/bin/su_script/hero and /usr/local/bin/su_script/thankyou
5. In the section for # User privilege specification, after the line reading root  ALL=(ALL) ALL, add specifications that will do the following:
   • Allow anyone in the HERO user alias group to run any script in the HEROSCRIPT command alias group on all servers.
   • Allow anyone in the PRES user alias group to run the script /usr/local/bin/su_script/president on all servers.
   • Allow only ckent to run /usr/local/bin/su_script/superuser on all servers.

Wnen you finish, stop being the superuser and return to your normal self.

Testing Your Work

Sign on as yourself, and then become user george by typing

Then try these commands:

sudo /usr/local/bin/su_script/president  # should succeed
sudo /usr/local/bin/su_script/hero       # should fail
sudo /usr/local/bin/su_script/superuser  # should fail

Now type exit to become yourself, then use su to become user abe; you should get the same results for the same three commands.

Type exit to become yourself, then use su to become user bwayne and try these commands:

sudo /usr/local/bin/su_script/president # should fail
sudo /usr/local/bin/su_script/hero      # should succeed
sudo /usr/local/bin/su_script/thankyou  # should succeed
sudo /usr/local/bin/su_script/superuser # should fail

Type exit to become yourself, then use su to become user ckent and try the four preceding commands. The last command should succeed.

Finishing the Assignment

Email your /etc/sudoers file to the instructor.

Quick Guide to sudoers

The idea behind sudoers is to give lists of users, which hosts they can have superuser powers on, and what commands they can run on those hosts. Consider these lines from the sudoers file; the line numbers are for reference only:

1 fred         ALL = ALL
2 martha, vinh webserver = ALL
3 hector       ALL = /usr/bin/passwd, /usr/bin/lprm
4 joe, fred    webserver, mailserver = /sbin/dump, /sbin/restore

1. User fred, on ALL servers, may run ALL programs as the superuser.
2. Users martha and vinh may, on the server named webserver, run ALL programs as the superuser .
3. User hector may, on ALL servers, run only programs /usr/bin/passwd and /usr/bin/lprm as the superuser.
4. Users joe and fred may, on servers named webserver and mailserver, run the programs /sbin/dump and /sbin/restore as the superuser.

This all works great, but sometimes you will have a group of users that all should have the same privileges, or a number of servers that should all be equally accessible via sudo, or a set of commands that are related (like /sbin/dump and /sbin/restore). To save a lot of typing, you can set up aliases for a set of users, a set of servers, and a set of commands.

The book shows how to set up a command alias (page 44), but does not discuss how to set up user aliases. The idea is the same, however. A command alias lets me name a collection of commands. Let’s say that the three miscellaneous programs /usr/bin/blah, /usr/bin/tylk, and /usr/bin/zorko are related to each other; if you need to be able to use one, you need to be able to use any of them. Thus, I can set up a command alias:

Cmnd_Alias MISC = /usr/bin/blah, /usr/bin/tylk, /usr/bin/zorko

That lets me just write MISC anywhere that I would ordinarily put a list of command names; it saves typing. Thus, if I want user joe to be able to run those commands on all servers, I can enter this:

joe ALL = MISC

Similarly, if I have a set of students named fred, martha, vinh, and hector, all of who need to have the same sudo powers, I can make an alias for their names by typing:

User_Alias STUDENTS = fred, martha, vinh, hector

So, when I want to give the four students access to those three commands on all servers, I can just type:

STUDENTS    ALL = MISC

which is the same as saying

fred, martha, vinh, hector   ALL = /usr/bin/blah, /usr/bin/tylk, /usr/bin/zorko

(There’s a similar way to set up aliases for a group of servers, but we aren’t using that in this assignment.)