Documentation for a newer release is available. View Latest

권한 얻기

System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the root user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.

관리 제어, 잠재적인 위험, 그리고 권한있는 접근의 부적절한 사용에서 나타는 자료 손실을 예방하는 방식에 대한 더 많은 정보를 위해 Red Hat Enterprise Linux 7 보안 안내를 참고하세요.

su 명령

사용자가 su 명령을 실행 할 때에, root 비밀번호를 위해 입력창에 표시되고, 인증 후에는 `root`으로 쉘 입력기가 제공됩니다.

Once logged in using the su command, the user is the root user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.

이와 같은 프로그램은 매우 강력하기 때문에, 조직내에 있는 관리자는 명령으로 접근하고자 하는 자를 제한하고자 합니다.

One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:

~]# usermod -a -G wheel 사용자이름

이전 명령에서, _username_을 wheel 그룹에 추가하고자 하는 사용자 이름으로 교체합니다.

You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.

  1. Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.

  2. 변경하기를 활성화 하려면, Unlock 누름단추를 누르고, 유효한 관리자 비밀번호를 입력하세요.

  3. Click a user icon in the left column to display the user’s properties in the right-hand pane.

  4. Change the Account Type from Standard to Administrator. This will add the user to the wheel group.

사용자 도구에 대한 더 많은 정보를 위해 그래픽 환경에서 사용자 관리하기를 참고하세요.

After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su, /etc/pam.d/su. Open this file in a text editor and uncomment the following line by removing the # character:

#auth           required        pam_wheel.so use_uid

This change means that only members of the administrative group wheel can switch to another user using the su command.

기록

root 사용자는 기본값으로 wheel 그룹의 일부입니다.

sudo 명령

The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

The basic format of the sudo command is as follows:

sudo command

In the above example, command would be replaced by a command normally reserved for the root user, such as mount.

The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.

Each successful authentication using the sudo command is logged to the file /var/log/messages and the command issued along with the issuer’s user name is logged to the file /var/log/secure. If additional logging is required, use the pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth file:

session required pam_tty_audit.so disable=pattern enable=pattern

where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users:

session required pam_tty_audit.so disable=* enable=root

Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.

Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo command.

To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:

juan ALL=(ALL) ALL

This example states that the user, juan, can use sudo from any host and execute any command.

The example below illustrates the granularity possible when configuring sudo:

%users localhost=/sbin/shutdown -h now

This example states that any member of the users system group can issue the command /sbin/shutdown -h now as long as it is issued from the console.

The man page for sudoers has a detailed listing of options for this file.

Important

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo as described above. Leaving the /etc/sudoers file in its default state gives every user in the wheel group unlimited root access.

  • By default, sudo stores the sudoer’s password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves their workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:

    Defaults    timestamp_timeout=value

    where value is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time.

  • If a sudoer’s account is compromised, an attacker can use sudo to open a new shell with administrative privileges:

    sudo /bin/bash

    Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed.

추가 자원

While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.

설치된 문서
  • su(1) — The manual page for su provides information regarding the options available with this command.

  • sudo(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior.

  • pam(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.

온라인 문서
See Also
  • Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.