1
00:00:00,000 --> 00:00:09,000
In this video, we'll explore sudo.

2
00:00:09,000 --> 00:00:10,640
You've worked at sudo before.

3
00:00:10,640 --> 00:00:14,320
Now let's discover some of the configuration behind it.

4
00:00:14,320 --> 00:00:16,840
Easy sudo access is configured by adding users

5
00:00:16,840 --> 00:00:18,000
to the wheel group.

6
00:00:18,000 --> 00:00:21,680
That's for Red Hat or the sudo group if you're on Ubuntu.

7
00:00:21,680 --> 00:00:23,920
If you want access to more advanced options,

8
00:00:23,920 --> 00:00:26,920
you need to edit the sudo configuration file.

9
00:00:26,920 --> 00:00:29,400
The name of that file is etc-sudoers,

10
00:00:29,400 --> 00:00:31,320
but you cannot edit it directly.

11
00:00:31,320 --> 00:00:35,160
You should use the vi-sudo command to edit it.

12
00:00:35,160 --> 00:00:39,000
And vi-sudo, in the end, writes the changes

13
00:00:39,000 --> 00:00:42,720
to etc-sudoers in a secure way.

14
00:00:42,720 --> 00:00:44,400
Now, when you are working with sudo,

15
00:00:44,400 --> 00:00:47,799
one thing is a sudo authentication token.

16
00:00:47,799 --> 00:00:51,439
Sometimes people are using nopasswd in the line

17
00:00:51,439 --> 00:00:53,400
that enables sudo to allow using it

18
00:00:53,400 --> 00:00:55,160
without entering a password.

19
00:00:55,160 --> 00:00:56,799
That is very insecure.

20
00:00:56,799 --> 00:00:58,560
But why are people doing that?

21
00:00:58,639 --> 00:01:01,799
Well, people are doing that because if you are using sudo,

22
00:01:01,799 --> 00:01:05,480
an authentication token is generated.

23
00:01:05,480 --> 00:01:06,959
So the first time you use sudo,

24
00:01:06,959 --> 00:01:08,800
you are prompted for a password.

25
00:01:08,800 --> 00:01:11,720
Based on that password, a token is generated.

26
00:01:11,720 --> 00:01:13,599
And that token enables the same user

27
00:01:13,599 --> 00:01:15,199
to run additional sudo commands

28
00:01:15,199 --> 00:01:18,800
without having to enter a password every time.

29
00:01:18,800 --> 00:01:20,440
Now, the problem is that by default,

30
00:01:20,440 --> 00:01:23,160
this token expires after a few minutes.

31
00:01:23,160 --> 00:01:26,320
And then the user needs to enter the password again.

32
00:01:26,360 --> 00:01:28,800
And if you are working with sudo all day long,

33
00:01:28,800 --> 00:01:30,160
that is annoying.

34
00:01:30,160 --> 00:01:32,800
So probably you want to avoid that.

35
00:01:32,800 --> 00:01:34,680
And in order to avoid it,

36
00:01:34,680 --> 00:01:37,639
you can add the default timestamp type is global

37
00:01:37,639 --> 00:01:39,800
and timestamp timeout is 60.

38
00:01:39,800 --> 00:01:42,279
So default timestamp type is global.

39
00:01:42,279 --> 00:01:43,919
That applies to users no matter

40
00:01:43,919 --> 00:01:46,199
how they are logging into your system.

41
00:01:46,199 --> 00:01:48,320
And timestamp timeout is 60,

42
00:01:48,320 --> 00:01:51,120
is setting the expiry of the authentication token

43
00:01:51,120 --> 00:01:52,879
to 60 minutes.

44
00:01:52,879 --> 00:01:55,519
Now, the 60, of course, is whatever you want.

45
00:01:55,519 --> 00:01:57,639
You think that 60 minutes is not enough,

46
00:01:57,639 --> 00:02:00,440
set it to longer or set it to shorter,

47
00:02:00,440 --> 00:02:04,279
but it is better than using no-pass-wd.

48
00:02:04,279 --> 00:02:06,559
And that is because the situation will be

49
00:02:06,559 --> 00:02:10,639
that you enter your password at the beginning of a session.

50
00:02:10,639 --> 00:02:12,919
And then you can work all morning long

51
00:02:12,919 --> 00:02:15,800
without having to enter your sudo password again.

52
00:02:15,800 --> 00:02:17,600
I mean, you've been logged in anyway.

53
00:02:17,600 --> 00:02:19,119
Then you go for lunch, you log out.

54
00:02:19,119 --> 00:02:20,839
And after coming back from lunch,

55
00:02:20,839 --> 00:02:22,279
you enter your password again.

56
00:02:22,279 --> 00:02:24,399
You only have to enter it twice a day

57
00:02:24,399 --> 00:02:25,880
instead of all the time.

58
00:02:25,880 --> 00:02:27,639
And that is way more secure

59
00:02:27,639 --> 00:02:30,479
than setting the no-pass-wd option.

60
00:02:30,479 --> 00:02:33,479
In sudo, you can also work with drop-in files.

61
00:02:33,479 --> 00:02:37,039
So instead of writing directly to etc-sudoers,

62
00:02:37,039 --> 00:02:41,080
drop-in files can be added to etc-sudoers.d.

63
00:02:41,080 --> 00:02:42,679
Now, this is a generic approach

64
00:02:42,679 --> 00:02:45,639
of working with configuration files in Linux.

65
00:02:45,639 --> 00:02:48,800
In the old days, you would just have one configuration file.

66
00:02:48,800 --> 00:02:51,559
Nowadays, as Linux systems are often managed,

67
00:02:51,559 --> 00:02:53,960
you want to distinguish between the managed content

68
00:02:53,960 --> 00:02:57,119
in the default configuration file and your own content,

69
00:02:57,119 --> 00:03:00,360
which is often created in a drop-in file.

70
00:03:00,360 --> 00:03:03,199
And the strategy is to use a drop-in file with the name

71
00:03:03,199 --> 00:03:06,479
etc-name-of-the-configuration-file.d.

72
00:03:06,479 --> 00:03:10,160
And then you create your own configuration.

73
00:03:10,160 --> 00:03:11,880
Now, in the sudo drop-in files,

74
00:03:11,880 --> 00:03:15,919
you can add configuration for individual users and or groups.

75
00:03:15,919 --> 00:03:18,919
Like linda-all is user-bin-pass-wd,

76
00:03:18,919 --> 00:03:21,479
not user-bin-pass-wd-root,

77
00:03:21,479 --> 00:03:23,839
which would allow you, linda, to set passwords,

78
00:03:23,839 --> 00:03:25,880
but not for user-root.

79
00:03:25,880 --> 00:03:30,360
Or if you really want it, lisa-all is all-no-pass-wd-all.

80
00:03:30,360 --> 00:03:32,919
Let me show you a bit before continuing.

81
00:03:32,919 --> 00:03:35,960
So first, I'm going to use vi-sudo.

82
00:03:35,960 --> 00:03:38,399
And in vi-sudo, what am I going to do?

83
00:03:38,399 --> 00:03:40,759
Well, I'm going to add this default parameter

84
00:03:40,759 --> 00:03:45,160
to manage the lifetime of the authentication token.

85
00:03:45,160 --> 00:03:47,919
Now, a default parameter can occur more than once

86
00:03:47,919 --> 00:03:50,119
in a sudoer file, and that's what I do,

87
00:03:50,160 --> 00:03:52,800
and I like to have it close to the other default parameters

88
00:03:52,800 --> 00:03:55,639
so that I can easily find my defaults.

89
00:03:55,639 --> 00:03:59,960
So default timestamp type is global.

90
00:04:01,119 --> 00:04:03,240
This parameter makes that it applies

91
00:04:03,240 --> 00:04:05,279
no matter how a user is logging in.

92
00:04:05,279 --> 00:04:08,199
So also for SSH sessions, for instance.

93
00:04:08,199 --> 00:04:13,199
And timestamp timeout is 240.

94
00:04:14,839 --> 00:04:16,200
What you are going to select here

95
00:04:16,200 --> 00:04:18,160
really depends on what you want to do.

96
00:04:18,160 --> 00:04:21,440
I like 240 because that requires me

97
00:04:21,440 --> 00:04:24,000
to enter a password twice only.

98
00:04:24,000 --> 00:04:25,880
And you want to do it differently,

99
00:04:25,880 --> 00:04:27,839
change it to whatever you want.

100
00:04:27,839 --> 00:04:29,839
I'm applying my changes,

101
00:04:29,839 --> 00:04:34,119
and then I'm getting into etc-sudoers.d,

102
00:04:34,119 --> 00:04:39,000
and there I'm creating my file linda.conf.

103
00:04:39,000 --> 00:04:41,079
And in linda.conf, I'm adding the line

104
00:04:41,079 --> 00:04:46,079
that I want to use linda-all-is-user-bin-pass-wd,

105
00:04:47,000 --> 00:04:52,000
and not user-bin-pass-wd-root.

106
00:04:52,760 --> 00:04:54,079
Now we want to test that, right?

107
00:04:54,079 --> 00:04:57,799
So let me do a user-add linda.

108
00:04:57,799 --> 00:05:00,640
This is a CentOS system, so if I use user-add linda,

109
00:05:00,640 --> 00:05:02,720
I get a bash shell by default,

110
00:05:02,720 --> 00:05:04,720
and I get a home directory by default,

111
00:05:04,720 --> 00:05:06,519
and that is the way I want it.

112
00:05:06,519 --> 00:05:10,359
And user-add lisa to create user lisa as well.

113
00:05:10,359 --> 00:05:11,200
Good.

114
00:05:11,200 --> 00:05:13,839
Now I'm going to use su linda

115
00:05:13,880 --> 00:05:16,279
to open a shell as user linda.

116
00:05:16,279 --> 00:05:17,600
I'm a little bit lazy.

117
00:05:17,600 --> 00:05:19,600
I never set a password for user linda,

118
00:05:19,600 --> 00:05:21,640
but as I'm doing this as user root,

119
00:05:21,640 --> 00:05:23,559
I don't have to enter a password.

120
00:05:23,559 --> 00:05:25,480
So now I'm user linda,

121
00:05:25,480 --> 00:05:30,239
and I should be able to use sudo passwd lisa.

122
00:05:30,239 --> 00:05:31,839
Is that going to work?

123
00:05:31,839 --> 00:05:32,679
Uh-uh.

124
00:05:32,679 --> 00:05:34,040
Password for linda.

125
00:05:34,040 --> 00:05:37,640
So my laziness is not rewarded here.

126
00:05:37,640 --> 00:05:40,480
I do need a password for user linda anyway.

127
00:05:40,480 --> 00:05:43,160
That's because of the default password check

128
00:05:43,160 --> 00:05:45,799
when users are using sudo.

129
00:05:45,799 --> 00:05:48,239
Remember, the user who's using sudo

130
00:05:48,239 --> 00:05:51,160
needs to enter their own passwords.

131
00:05:51,160 --> 00:05:54,040
So now that I'm in my sudoers.d,

132
00:05:54,040 --> 00:05:56,239
I can create a file for the user,

133
00:05:56,239 --> 00:05:58,880
and let's create the file linda,

134
00:05:58,880 --> 00:06:00,959
in which I'm putting linda.

135
00:06:00,959 --> 00:06:04,839
All is user bin passwd,

136
00:06:04,839 --> 00:06:09,839
and not user bin passwd root.

137
00:06:10,519 --> 00:06:11,720
That should be doing it.

138
00:06:14,000 --> 00:06:16,720
So next, it's time to test, right?

139
00:06:16,720 --> 00:06:20,480
So let's use get-end passwd linda

140
00:06:20,480 --> 00:06:22,239
to check if we have a user linda,

141
00:06:22,239 --> 00:06:25,000
and there we can see we have a user linda.

142
00:06:25,000 --> 00:06:26,480
Get-end is a nice command

143
00:06:26,480 --> 00:06:29,640
because it's printing all the properties of the user

144
00:06:29,640 --> 00:06:33,640
as it was found in the authentication database.

145
00:06:33,640 --> 00:06:36,839
In this case, it's simply etc passwd.

146
00:06:36,839 --> 00:06:39,519
Also make sure that this user has a password,

147
00:06:39,519 --> 00:06:41,920
and then you can open a shell as the user,

148
00:06:41,920 --> 00:06:45,559
and that's what I'm doing right now, su minus linda.

149
00:06:45,559 --> 00:06:47,000
As I'm doing that as root,

150
00:06:47,000 --> 00:06:49,679
I don't have to enter a password at all,

151
00:06:49,679 --> 00:06:54,679
but now I should be able to use sudo passwd lisa.

152
00:06:55,160 --> 00:06:57,079
Entering the password for linda,

153
00:06:57,079 --> 00:07:00,079
and there we can see I'm prompted for the new password,

154
00:07:00,079 --> 00:07:02,440
going once and going twice.

155
00:07:02,440 --> 00:07:05,720
And what happens if we try to do that for user root?

156
00:07:05,720 --> 00:07:08,079
Well, then we get the error message,

157
00:07:08,079 --> 00:07:09,720
user linda is not allowed,

158
00:07:09,720 --> 00:07:14,040
and that's because we excluded this functionality.

159
00:07:14,040 --> 00:07:16,519
Right, let's get back to the slides

160
00:07:16,519 --> 00:07:20,279
because I need to tell you about sudo edit.

161
00:07:20,279 --> 00:07:23,519
Sudo edit is a nice command, and why is that?

162
00:07:23,519 --> 00:07:25,640
Well, that is because from a regular editor,

163
00:07:25,640 --> 00:07:28,760
often there is an option to open a shell.

164
00:07:28,760 --> 00:07:32,519
So from vim, you can use colon shell to open a shell.

165
00:07:32,519 --> 00:07:33,760
And what does that mean?

166
00:07:33,760 --> 00:07:36,600
That means that if you do that from sudo vim session,

167
00:07:36,600 --> 00:07:39,239
the shell is a shell to the sudo vim session,

168
00:07:39,239 --> 00:07:42,040
and for that reason, you can open a root shell.

169
00:07:42,040 --> 00:07:45,279
That's not really something that you normally want.

170
00:07:45,279 --> 00:07:47,720
And that is why, if you want to prevent users

171
00:07:47,720 --> 00:07:50,440
from having unlimited shell access in this way,

172
00:07:50,440 --> 00:07:53,559
you better use sudo edit instead of giving a user

173
00:07:53,559 --> 00:07:56,959
sudo privileges to use vim.

174
00:07:56,959 --> 00:07:58,679
In order to activate sudo edit,

175
00:07:58,679 --> 00:08:01,679
you need to include it in the sudo configuration.

176
00:08:01,679 --> 00:08:03,320
And this is how it works.

177
00:08:03,320 --> 00:08:09,320
So linda all is sudo edit comma not sudo edit sudoers.

178
00:08:09,320 --> 00:08:12,880
And as a result, the user can just run sudo edit

179
00:08:12,880 --> 00:08:14,799
without sudo in front of it.

180
00:08:14,799 --> 00:08:16,640
Let's check it out.

181
00:08:16,640 --> 00:08:20,000
So I'm getting back to the linda configuration file

182
00:08:20,000 --> 00:08:25,279
where I'm going to add the sudo edit command.

183
00:08:25,279 --> 00:08:34,760
So sudo edit and not sudo edit etc sudoers.

184
00:08:37,760 --> 00:08:41,520
And now I can open my shell as usual linda again.

185
00:08:41,520 --> 00:08:46,559
And there I'm using sudo edit etc hosts.

186
00:08:46,559 --> 00:08:48,599
And here is etc hosts.

187
00:08:48,599 --> 00:08:50,799
And can linda put something in there?

188
00:08:50,799 --> 00:08:59,400
192.168.29.111.dummy.example.com, for instance.

189
00:08:59,400 --> 00:09:01,239
And as you can see, that works.

190
00:09:01,239 --> 00:09:05,080
And ls minus l on etc hosts is showing

191
00:09:05,080 --> 00:09:09,400
that really you need escalated privileges in order to do so.

192
00:09:09,400 --> 00:09:13,440
Also notice that sudo edit is using the sudo authentication

193
00:09:13,440 --> 00:09:14,039
token.

194
00:09:14,039 --> 00:09:17,080
There was no need for user linda to enter the password again.