Support for security such as Firewalls and securing linux
Post Reply
Posts: 3
Joined: 2005/03/20 12:19:53


Post by kerm1t » 2005/03/20 12:30:10


I am looking for information on how to setup jails, since I do not want my users romping around the OS. Any information on how to do this would be great. Additionally, users also need to run applications as a privilaged user. I have decided sudo would be the best way to handle something like this, however; I want to ensure sudo will be configured correctly to run one single application as root and nothing else. Any documentation related to configuring sudo in this way would be helpful.

Thank you!


Posts: 42
Joined: 2005/02/08 15:41:01
Location: Bangalore


Post by devil » 2005/03/21 14:40:27

Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this timeout is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.

Sudo’s configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis

If you haven't already done so for other software, you now need to modify the search paths so that the system can find the sudo program and its manual pages. :
It's advisable to log out and log in again at this point to activate these changes. Make sure that the system can find the sudo program
# Sudo -V
(that's an upper case "V") and that you can display the manual pages:
# man sudo
# man visudo
# man sudoers


1) Add the user accounts to /etc/passwd file


2)After adding the above lines to /etc/passwd file run Pwconv


This command updates the /etc/shadow file with respect to /etc/passwd file

5) Configure Sudo:
sudo is controlled by its configuration file /etc/sudoers. The program has a rich selection of configuration options The instructions below describe how to create an sudoers file and allows a particular user to run any command as root.
One potential difficulty is that the /etc/sudoers file must be edited using the visudo program and not directly in your editor of choice. visudo uses the "vi" editor and this means that you need at least a basic understanding of how to use this editor. of lines to it.
To edit /etc/sudoers make sure you're logged in as root and type:
# visudo
This starts the vi editor and displays the initial sudoers file

You may like to add the following lines telling sudo that your own personal users is allowed to do anything as root.
root ALL=(ALL) ALL
test ALL=(ALL) ALL
test1 ALL=(ALL) ALL

Sudo is simple to use. To execute a command with root privilege, type:
$ Sudo name-of-command
If this is the first time you've used sudo since logging in, sudo will ask for your password. The password required at this point is the user's own password, not the root password.
# sudo /dialup
and sudo responds:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

user would then type his password and sudo will run the /dialup script for her with root privilege. If further commands are executed using sudo within 5 minutes, it will not ask for a password again.
But if test were to try and execute a command without having the necessary permission (as defined in the /etc/sudoers file), sudo will refuse to run it:
$ sudo vi /etc/passwd
Sorry, user test is not allowed to execute "/usr/bin/vi /etc/passwd" as root on XYZ
In this example, XYZ is the name of the machine.

7) Sudo Logging:

Add the following 2 lines to /etc/syslog.conf file to save the sudo messages

*.err local2.info
local2.debug /var/adm/sudo.log
Don't forget to send a SIGHUP to your syslogd so that it re-reads its conf file. Also, remember that syslogd does *not* create log files, you need to create the file before syslogd will log to it (i.e.: touch /var/log/sudo). Note: the facility ("local2.debug") must be separated from the destination ("/var/log/sudo.log" or "@loghost") by tabs, *not* spaces. This is a common error.
Add the following line to the sudo config file using 'visudo' (we want to keep user actions in a seperate log file):

Defaults logfile=/var/log/sudo

---------hope this help ;-)

Posts: 1
Joined: 2005/03/23 15:00:34

Re: Jails

Post by lbhflinux » 2005/03/23 15:08:43

you could also try chroot. it creates a virtual root filesystem.

Post Reply

Return to “CentOS 4 - Security Support”