Gaining Privileges
System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the root
user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the root
user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 7 Security Guide for more information on administrative controls, potential dangers, and ways to prevent data loss resulting from improper use of privileged access.
The su Command
When a user executes the su command, they are prompted for the root
password and, after authentication, are given a root
shell prompt.
Once logged in using the su command, the user is the root
user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become root
, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root
:
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to add to the wheel
group.
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
-
Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
-
To enable making changes, click the Unlock button, and enter a valid administrator password.
-
Click a user icon in the left column to display the user’s properties in the right-hand pane.
-
Change the Account Type from
Standard
toAdministrator
. This will add the user to thewheel
group.
See Managing Users in a Graphical Environment for more information about the Users tool.
After you add the desired users to the wheel
group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su, /etc/pam.d/su
. Open this file in a text editor and uncomment the following line by removing the #
character:
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group wheel
can switch to another user using the su command.
Catatan
The |
The sudo Command
The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root
user.
The basic format of the sudo command is as follows:
sudo command
In the above example, command would be replaced by a command normally reserved for the root
user, such as mount.
Perintah sudo memungkinkan fleksibilitas tingkat tinggi. Misalnya, hanya pengguna yang terdaftar dalam berkas konfigurasi /etc/sudoers
yang diizinkan untuk menggunakan perintah sudo dan perintah tersebut dijalankan di shell pengguna, bukan shell root
. Ini berarti shell root
dapat sepenuhnya dinonaktifkan seperti yang ditunjukkan pada Panduan Keamanan Red Hat Enterprise Linux 7.
Each successful authentication using the sudo command is logged to the file /var/log/messages
and the command issued along with the issuer’s user name is logged to the file /var/log/secure
. If additional logging is required, use the pam_tty_audit
module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root
user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Keuntungan lain dari perintah sudo adalah bahwa administrator dapat mengizinkan pengguna lain mengakses perintah tertentu berdasarkan kebutuhan mereka.
Administrator yang ingin menyunting berkas konfigurasi sudo, /etc/sudoers
, mesti memakai perintah visudo.
Untuk memberikan hak administratif penuh ke seseorang, ketikkan visudo dan tambahkan sebaris mirip berikut dalam bagian spesifikasi hak pengguna:
budi ALL=(ALL) ALL
Contoh ini menyatakan bahwa pengguna, budi
, dapat memakai sudo dari host mana pun dan mengeksekusi sebarang perintah.
Contoh di bawah mengilustrasikan kemungkinan granularitas ketika mengonfigurasi sudo:
%users localhost=/sbin/shutdown -h now
Contoh ini menyatakan bahwa sebarang anggota grup sistem users
dapat memberikan perintah /sbin/shutdown -h now selama itu diberikan dari konsol.
Halaman man bagi sudoers
memiliki daftar rinci opsi bagi berkas ini.
Penting
Ada beberapa risiko potensial untuk diingat ketika memakai perintah sudo. Anda dapat menghindari mereka dengan menyunting berkas konfigurasi
|
Sumber Daya Tambahan
Walaupun program yang mengizinkan pengguna untuk mendapatkan hak administratif adalah risio keamanan potensial, keamanan itu sendiri di luar dari lingkup buku ini. Anda mesti mengacu ke sumber daya yang dicantumkan di bawah untuk informasi lebih lanjut terkait keamanan dan akses dengan hak khusus.
-
su
(1) — Halaman manual bagi su menyediakan informasi terkait opsi-opsi yang tersedia dengan perintah ini. -
sudo
(8) — Halaman manual bagi sudo termasuk suatu deskripsi terrinci atas perintah ini dan mencantumkan daftar opsi yang tersedia untuk menyesuaikan perilakunya. -
pam
(8) — Halaman manual yang menguraikan penggunaan Pluggable Authentication Modules (PAM) bagi Linux.
-
Panduan Keamanan Red Hat Enterprise Linux 7 menyediakan suatu pandangan lebih mendalam atas masalah-masalah keamanan potensial atas program-program setuid maupun teknik-teknik yang dipakai untuk mengatasi risiko-risiko ini.
-
Mengelola Pengguna dan Grup mendokumentasikan bagaimana mengelola pengguna dan grup sistem dalam antarmuka pengguna grafis dan pada baris perintah.