LPI Linux Certification in a Nutshell (65 page)

Read LPI Linux Certification in a Nutshell Online

Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger

Tags: #Reference:Computers

BOOK: LPI Linux Certification in a Nutshell
4.38Mb size Format: txt, pdf, ePub
Name

sudo

Syntax
sudo
[OPTION]... [-a auth_type] [-c class] [-p prompt] [-u username]
Description

sudo
(
s
ubstitute
u
ser
do
) allows a permitted user to execute a
command as the superuser or another user, as specified in the
/etc/sudoers
file.

Frequently used options
-b

Run the given command in the background.

-u
USERNAME

Attempt to run the command as user
USERNAME
instead of root.

The
sudo
command lives somewhere between
SUID and
su
.
sudo
is used
when you want to give certain users (or groups of users) access to
run certain commands with elevated privileges (usually as
root
).
Sudo
is extremely
useful for a number of reasons:

  • You don’t have to hand out the root password to people
    just so they can run a few
    commands
    .

  • It logs every command (completed and attempted).

  • In the
    /etc/sudoers
    file, you can limit its use by user account, by group, by
    machine, or by pathname.

  • The design of
    /etc/sudoers
    is such that you can
    replicate it across multiple systems without modification of the
    file.

The
/etc/sudoers
configuration file is a standard text file (like most other Linux
configuration files), but the syntax for the rules that define the
behavior of
sudo
is formatted in Extended
Backus-Naur Form (EBNF), which is a way to describe the grammar of a
language. This is relatively unique to the Linux configuration file
world, so your
/etc/sudoers
file will look quite a bit different than other configuration files
you are used to. Because of the security implications of
sudo
, and the somewhat challenging format of
the file itself, it is recommended that the command
visudo
be used to edit
/etc/sudoers
instead of editing the file
directly.
visudo
will not only make a backup
copy of the
/etc/sudoers
file
for editing (replacing the previous version of
/etc/sudoers
when the backup
copy is saved), but it also does syntax checking of the format of
the file, warning you if the syntax is incorrect. If you prefer an
editor other than
vi
, just make sure your
$EDITOR
environment variable contains the path
to your preferred editor, and
visudo
will
invoke that editor instead of
vi
.

On the Exam

The configuration options available in
/etc/sudoers
can be very complicated.
You will not be required to answer questions about every possible
option on the LPI exams. You should know what
sudo
is for and some example command-line
usage, and have a general idea of what the
/etc/sudoers
file should look
like.

Example 1

A simple
/etc/sudoers
file:

# Format is:
# user MACHINE=COMMANDS
#
# The COMMANDS section may have other options added to it.
#
Defaults requiretty,passwd_timeout=10
# Allows members of the users group to mount and unmount the cdrom as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
# Allow the user adam to run the dumpe2fs command on any locally attached
# disk using scsi emulation (/dev/sd*) on the computer 'fileserv',
# don't prompt for a password
adam fileserv=NOPASSWD: /sbin/dumpe2fs /dev/sd*

The
NOPASSWD
option will allow the user
adam
to run the
dumpe2fs
command without being prompted for a password. Normally,
sudo
will prompt a user for his password (not
the root password! If the user knew the root password, he wouldn’t
need
sudo
, would he?). Once the user’s password
is given correctly,
sudo
will cache the
password and not ask again for a default of five minutes
(configurable in the
/etc/sudoers
file). Setting the
NOPASSWD
option allows the
sudo
command to be called from
cron
and other noninteractive, scripted
situations.

The detailed logging that
sudo
offers by
default is another reason why it is so popular. It is a common
scenario to have multiple people acting as system administrators in
a corporate environment. If all of these people log in as
root
to perform maintenance, there is no way to
tell exactly which user was logged in as
root
and ran what command at a certain time.
sudo
handles this for you. It is good practice to use
sudo
to run superuser commands when you are in
a shared administrator environment.

Example 2

A sample log line from
sudo
:

Dec 4 15:07:20 fileserv sudo: adam : TTY=pts/0 ; PWD=/sbin ; USER=root ; \
COMMAND=/sbin/dumpe2fs /dev/sda3

By default,
sudo
uses the
syslog
service to log all events. Depending
upon your
syslog
configuration, these events
will probably be logged to either
/var/log/messages
or
/var/log/secure
.

sudo
will also log instances when a user
attempts to run a command and is denied, shown next.

Example 3

Sudo denying access to user
joe
, who
tried to run
sudo /bin/ls /tmp
:

Dec 4 15:27:29 fileserv sudo: joe : user NOT in sudoers ; TTY=pts/0 ; \
PWD=/home/joe ; USER=root ; COMMAND=/bin/ls /tmp

Other important things to remember about
sudo
:

  • Be sure you are giving the exact path to applications in
    the
    /etc/sudoers
    file. The
    visudo
    command will give you an error if
    you try to use relative path names.

  • Be aware of commands that spawn subshells! This is the
    same issue that was discussed earlier with regards to SUID
    programs and subshells. A subshell (or child process) will
    always inherit the security context of the parent process. So if
    you have a line in
    /etc/sudoers
    that looks like
    this:

    adam  ALL=NOPASSWD: /bin/vi

    then the user “adam” will be able to run
    /bin/vi
    as root. By typing
    !bash
    in a
    vi
    session,
    adam will have an interactive shell as root. If you are in a
    situation where you need to let non-root users edit protected
    files, use the command
    sudoedit
    (an alias
    to “
    sudo –e
    ”). This tells
    sudo
    that a file needs to be edited. The
    sudo
    command will make a temporary copy of
    the file and open an editor in the security context of the user
    (not root). Once the temporary file is saved,
    sudo
    will copy the temporarily file over
    the original file. This bypasses the root subshell
    dilemma.

  • The file
    /etc/sudoers
    can be a little daunting at first, but remember it was designed
    to allow you to have one copy of
    /etc/sudoers
    work across multiple
    servers. If this is not your situation, you can follow the
    simple examples above to create and maintain an
    /etc/sudoers
    file that is a little
    easier to read.

Name

usermod

Syntax
chage
[OPTIONS] [USERNAME]
Description

usermod
is used to maintain the
settings for accounts in
/etc/passwd
and
/etc/group
(and, by extension,
/etc/shadow
and
/etc/gshadow
).

Frequently used options
-c
COMMENT

Set or change the value of the Comment field (field
5).

-d
HOMEDIRECTORY

Set or change the value of the user’s home directory
(field 6).

-g
GROUPID

Set the primary GID (group ID) of the user.

-G
comma-delimited
GROUPID(S)

Set the supplementary group ID(s) for a user.

-l
USERNAME

Change the username to
USERNAME
.

-s
SHELL

Change the user’s shell to
SHELL
.

Name

chage

Syntax
chage
[OPTIONS] [USERNAME]
Description

chage
(change aging) is used to
maintain the password aging limits on a user account.

Frequently used options
-d
LASTDAY

Set the number of days (since January 1, 1970) when the
password was last changed.

-E
EXPIREDATE

Set a user account to expire on a certain date.

-I
INACTIVEDAYS

How many days of inactivity after a password has expired
must pass before the account is locked.

-l

Show password aging information for an account. A
nonprivileged user can run this to view his password aging
status.

-m
MINDAYS

Set the minimum number of days between password
changes.

-M
MAXDAYS

Set the maximum number of days a password is
valid.

-W
WARNDAYS

The number of days before the password expiration that
the system will start warning the user.

Examples

View the password aging information for the
root
user:

#
chage -l root
Last password change : Jan 08, 2010
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Force a user to change his password on the next login:

#
chage -d 0 adamh
#
chage -l adamh
Last password change : password must be changed
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Now when the user
adamh
next logs in, he
will see:

login as:
adamh
adamh@server's password:

You are required to change your password immediately (root enforced)
Last login: Fri Jan 8 14:50:42 2010 from 10.0.0.112
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user adamh.
Changing password for adamh.
(current) UNIX password:

New UNIX password:

Retype new UNIX password:

On the Exam

The
chage
command can be a little
confusing. Take the time to learn its different options and
practice configuring different password aging settings on a test
Linux system. It is likely that you will encounter questions about
the syntax of the
chage
command on the LPI
exams.

Name

ulimit

Syntax
ulimit
[OPTIONS] limit
Description

Provides control over the resources available to the
shell and to processes started by it, on systems that allow such
control.

Frequently used options
-a

Report all current limits.

-u
NUMBER

The maximum number of processes available to a single
user.

-x
NUMBER

The maximum number of file locks.

-v
NUMBER

The maximum amount of memory available to the shell, in
kilobytes.

-H

Indicates that a hard limit is being specified.

-S

Indicates that a soft limit is being specified.

Example

View the current limits for a user:

$
ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Limits are defined on Linux as being either
hard
or
soft
limits. A hard limit is set by the
superuser for a user or group of users and cannot be
exceeded. A soft limit is also set by the superuser, but it may be
temporarily overridden by a user if the need arises (by the user
calling the
ulimit
command). For example, a
user may have a soft limit of 100 on the maximum number of open
files, with a hard limit of 1,000. If the user is running a
short-term process that needs to open 200 files, they can
temporarily increase her limit in order for that program to run.
That increase lasts only for the life of the user’s shell. Hard and
soft limits are set up by the superuser for all users in the file
/etc/security/limits.conf
.

The file
limits.conf
takes four values,
space- or Tab-delimited, on each line:

   

Table 22-3
describes the options for entries in
limits.conf
.

Table 22-3. Options in /etc/security/limits.conf

Field name

Possible values

Domain

  • Username

  • Group name, prefixed by @

  • * to indicate the default

Type

  • hard

  • soft

Item

  • core
    (limits the core file
    size, set in KB)

  • data
    (maximum data size in
    KB)

  • fsize
    (maximum file size in
    KB)

  • memlock
    (maximum
    locked-in-memory address space in KB)

  • nofile
    (maximum number of
    open files)

  • rss
    (maximum resident set
    size in KB)

  • stack
    (maximum stack size
    in KB)

  • cpu
    (maximum CPU time in
    minutes)

  • nproc
    (maximum number of
    processes

  • as
    (address space limit in
    KB)

  • maxlogins
    (maximum number
    of logins for this user)

  • maxsyslogins
    (maximum
    number of logins on the system)

  • priority
    (the priority with
    which to run the user process)

  • locks
    (maximum number of
    file locks the user can hold)

  • sigpending
    (maximum number
    of pending signals)

  • msgqueue
    (maximum memory
    used by POSIX message queues in bytes)

  • nice
    (maximum nice priority
    allowed)

  • rtprio
    (maximum real-time
    priority)

Value

Integer

Here are some example lines from a
limits.conf
file:

# user adamh cannot create a file larger than 200 MB
adamh hard fsize 204800
# user adamh cannot create a file larger than 100 MB
# unless he increases his own ulimit value
adamh soft fsize 102400
# don't create core files for any user unless they
# change this ulimit value for themselves
* soft core 0
# limit all users in the group 'students' to no more
# than 20 processes running at once
@student hard nproc 20
# limit all users in the group 'faculty' to no more
# than 20 processes running at once, but allow
# them to increase their own limit temporarily
@faculty soft nproc 20

Let’s see
ulimit
in action with the user
adamh
, given the example
limits.conf
file just shown. First, prove
that user
adamh
cannot create a file larger
than 102400 blocks (100 MB, assuming we’re dealing with blocks that
are each 1 KB in size):

$
whoami
adamh
$
ulimit –a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) 102400
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$
dd if=/dev/zero of=largefile bs=1M count=200
File size limit exceeded
$
ls -lh largefile
-rwxrwxrwx 1 root root 100M 2010-01-08 16:09 largefile

The
dd
command used in this
example is attempting to create a 200 MB file by copying the
contents of
/dev/zero
(a
special device that returns zero-valued bytes to all read requests)
to the file
largefile
. It is
doing this by attempting to copy 200 1-megabyte segments. After
dd
has reached 100 MB, the copy is aborted and
the error “File size limit exceeded” appears. An
ls
of the file shows that user
adamh
was allowed to create a 100 MB file, but
no larger. Now
adamh
will use
ulimit
to increase his file size limit to 200
MB and try the command again:

$
ulimit -f 204800
$
ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) 204800
pending signals (-i) 8192
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 8192
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$
dd if=/dev/zero of=largefile bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 13.0589 s, 16.1 MB/s
$
ls -lh largefile
-rwxrwxrwx 1 root root 200M 2010-01-08 16:14 largefile

This time, the
dd
command completed
without an error, and
adamh
was allowed to
create a 200 MB file. However, if he tries to use
ulimit
to increase the limit beyond the hard
limit, he is denied:

$
ulimit -f 204801
-bash: ulimit: file size: cannot modify limit: Operation not permitted

On the Exam

Setting limits for users is an often-overlooked activity,
but it will appear on the LPI exam. Be familiar with the format of
the
/etc/security/limits.conf
file and some
of the more common options for
ulimit
. Also
be sure to understand the difference between hard and soft limits
and how those differences affect a user’s ability to use system
resources.

Other books

Carolyn Davidson by Runaway
Kissing Fire by A.M. Hargrove
The Atlantis Code by Charles Brokaw
Love Comes Home by Terri Reed
Visions of Isabelle by William Bayer