LINUX-8
USER LOGIN / SU
TERMINAL: Special-purpose
physical devices which usually had a screen and a keyboard, and attached to a
computer via a serial line, either directly or via a dial-up modem. Terminals
were quite dumb devices, with little computation capabilities by their own:
their job was mainly to display fixed-sized text coming via the serial line
from the computer, and send data entered via the keyboard to the computer
through the serial line, much like a teletype but with a screen in place of
paper.
A device known as terminal which contains only few parts and a
monitor with integrated keyboard is used to access the mainframe computer.
Terminal connects with mainframe computer on serial console port. Once
connected it uses all resources such as CPU, RAM and Hard disk from mainframe
computer. The earliest terminals were also known as teletypes (abbreviated
TTY).
Ex: VT-102, VT-103
CONSOLE: A terminal which
is incorporated in the computer, and generally assumed to be always there since
system startup. You usually needed physical access to the computer to access
its console, and thus it could be granted with special privileges and/or
dedicated to special tasks (i.e. to display system log messages that needed the
attention of a system operator).
Today
terminals, as in the definition given above, aren't used that much anymore, but
their behavior is emulated by software programs: xterm, for example, is a
popular terminal emulator, graphically emulating a VT-102 on the X Window
System. Putty is another VT-102 terminal emulator that also includes an OpenSSH
and Telnet client.
Sometimes,
terminal emulators are called "virtual terminals", and terminal
emulators which have the role of a console are thus called "virtual
consoles".
Specifically,
on Linux-based systems, "virtual console" refers to the terminal
emulators that are built in in the kernel and that can be accessed at any time
by pressing Ctrl+Alt+F1 .. F12 at the console's keyboard.
Courtesy:
A tty is a particular kind of device file which implements a
number of additional commands (ioctls) beyond read and write. In its most
common meaning, terminal is synonymous with tty. Some ttys are provided by the
kernel on behalf of a hardware device, for example with the input coming from
the keyboard and the output going to a text mode screen, or with the input and
output transmitted over a serial line. Other ttys, sometimes called pseudo-ttys,
are provided (through a thin kernel layer) by programs called terminal
emulators, such as Xterm (running in the X Window System), Screen (which
provides a layer of isolation between a program and another terminal), Ssh
(which connects a terminal on one machine with programs on another machine),
Expect (for scripting terminal interactions), etc.
A console is generally a terminal in the physical sense that is by
some definition the primary terminal directly connected to a machine. The
console appears to the operating system as a (kernel-implemented) tty. On some
systems, such as Linux and FreeBSD, the console appears as several ttys
(special key combinations switch between these ttys); just to confuse matters,
the name given to each particular tty can be “console”, ”virtual console”,
”virtual terminal”, and other variations
Courtesy:
vc/1 virtual console
tty1 terminal
3270/tty1 looks like Gnome
SCLP is the native
serial interface for AIX
HVSI is host virtual
serial interface
XVC is xen virtual
console.
HVC is IBM
iSeries/pSeries virtual console
Local access is regulated by
/etc/securetty
11 virtual consoles, by default only 6 are enabled in
/etc/systemd/logind.conf
Comment the directives of /etc/securetty and check what happens…
Make sure have any other valid user in system before that.
Ssh will overpower this commenting.
WHO IS REGULATING ACCESS FOR USERS ?
/etc/security/access.conf
Whole file is commented by default,
Check how it can control each and every user login behavior on
system.
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# Same, but make sure that really the group wheel and not the user
# wheel is used (use nodefgroup argument, too):
#
#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
EXTENDED PERMISSIONS:
Su: “switch user” opens a subshell as a
different user, root commands are executed only in that subshell.
Sudo: “Superuser do” An environment where root
access commands can be executed by regular users **they must know the root
passwd.
Specific command or set of commands
can be assigned to user or group of users to perform specific administrative
tasks.
Policy
kit: Allows to setup graphical utilities to run with admin access.
SU…………………………….
[root@rhel7-server ~]# su - user1
[user1@rhel7-server ~]$
[user1@rhel7-server ~]$ id
uid=1002(user1)
gid=1002(user1) groups=1002(user1)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user1@rhel7-server ~]$ su - raman
Password:
ç
su:
Authentication failure
Root
can su to any a/c, other users required passwd for the same.
Any
user can use “su” ??
Yes…
But it
can be controlled … … … HOW ??
[root@rhel7-server ~]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
#
Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid
#
Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
We have
already user “raman”, “user1” and “araman” in system with separate groups, I added
them in common secondary group “admins1”.
[root@rhel7-server ~]# groupadd -g 5000 admins1
[root@rhel7-server ~]# usermod -a -G admins1 raman
[root@rhel7-server ~]# usermod -a -G admins1 user1
[root@rhel7-server ~]# usermod -a -G admins1 araman
Now, I want
that only the members of group “admins1” can do “su”.
Let’s
check how we can do this… …
[user3@rhel7-server ~]$ vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
#
Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid
auth sufficient pam_admins1.so trust use_uid ççç
#
Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth required pam_admins1.so use_uid ççç
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
I added
bold lines to the file.
And added
a new user,
[root@rhel7-server ~]# useradd user3
[root@rhel7-server ~]# passwd user3
Changing
password for user user3.
New
password:
BAD
PASSWORD: The password is shorter than 8 characters
Retype
new password:
passwd:
all authentication tokens updated successfully.
[root@rhel7-server ~]# su - user3
(root can “su” to any user)
[user3@rhel7-server ~]$ id
uid=1003(user3)
gid=1003(user3) groups=1003(user3)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user3@rhel7-server ~]$ su - raman
Password: (correct passwd provided)
su:
Module is unknown çç
[user3@rhel7-server ~]$ su - araman
Password: (correct passwd provided)
su:
Module is unknown çç
SUDO…………………………………………….
Controlled
access to administrative commands.
/etc/sudoers
Any regular
user who need access to one or more admin commands is defined in the file /etc/sudoers.
File is edited by command “visudo”
Now I want a user “araman” to perform following tasks…
Fdisk, fdisk –l, vipw, visudo
As a regular user he cannot run above mentioned commands.
So what we have to do is,
[root@rhel7-server ~]# visudo
And add following line at end…
araman ALL=(ALL)
/usr/sbin/fdisk, /usr/sbin/vipw, /usr/sbin/fdisk -l, /usr/sbin/visudo
Let’s see the impact………….
[araman@rhel7-server ~]$ vipw
vipw: Permission denied.
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged
[araman@rhel7-server ~]$ /usr/sbin/vipw
vipw: Permission denied.
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged
[araman@rhel7-server ~]$ fdisk -l
[araman@rhel7-server ~]$ fdisk –l
[araman@rhel7-server ~]$ sudo fdisk -l
We trust you have received the usual lecture from the
local System
Administrator. It usually boils down to these three
things:
#1) Respect the
privacy of others.
#2) Think
before you type.
#3) With great
power comes great responsibility.
[sudo] password for araman:
Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040
sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00042ab0
Device Boot Start End Blocks
Id System
/dev/sda1 * 2048
1435647 716800 83
Linux
/dev/sda2
1435648 5629951 2097152
82 Linux swap / Solaris
/dev/sda3
5629952 7727103 1048576
83 Linux
/dev/sda4
7727104 41943039 17107968
5 Extended
/dev/sda5
7729152 38449151 15360000
83 Linux
Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040
sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x59d60db6
Device Boot Start End Blocks
Id System
/dev/sdb1
2048 2099199 1048576
83 Linux
================o/p removed=============================
[araman@rhel7-server ~]$ sudo visudo
[sudo] password for araman:
visudo: /etc/sudoers.tmp unchanged
[araman@rhel7-server ~]$ su - user1
Password:
Last login: Wed Dec 28 18:01:32 IST 2016 on pts/0
Last failed login: Wed Dec 28 18:01:47 IST 2016 on pts/1
There was 1 failed login attempt since the last
successful login.
[user1@rhel7-server ~]$ sudo vipw
We trust you have received the usual lecture from the
local System
Administrator. It usually boils down to these three
things:
#1) Respect the
privacy of others.
#2) Think
before you type.
#3) With great
power comes great responsibility.
[sudo] password for user1:
user1 is not in the sudoers file. This incident will be reported.
[user1@rhel7-server ~]$ sudo vipw
[sudo] password for user1:
user1 is not in the sudoers file. This incident will be reported.
User “araman” is allowed b’coz it has authorization in “sudoers”
file.
Now I want all the members of group “admins1” having same
rights to run,
Fdisk, fdisk –l, vipw, visudo
Let’s see what we can do …….
[root@rhel7-server ~]# visudo
Added following entry at end.
%admins1 ALL=(ALL)
/usr/sbin/fdisk, /usr/sbin/vipw, /usr/sbin/fdisk -l, /usr/sbin/visudo
[user1@rhel7-server ~]$ sudo vipw
[sudo] password for user1:
vipw: /etc/passwd is unchanged
[raman@rhel7-server ~]$ sudo vipw
We trust you have received the usual lecture from the
local System
Administrator. It usually boils down to these three
things:
#1) Respect the
privacy of others.
#2) Think
before you type.
#3) With great
power comes great responsibility.
[sudo] password for raman:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
It is asking passwd every time, irritating na … ?
Disable asking passwd,
[root@rhel7-server ~]# visudo
Added following entry at end,
%admins1 ALL=(ALL)
NOPASSWD: ALL ç
This will give root access to the members of group “admins1”
and also disable asking passwd.
Now I am trying to edit following file as user “raman”
[raman@rhel7-server ~]$ vi
/etc/sysconfig/network-scripts/ifcfg-ens33
Getting error…
"/etc/sysconfig/network-scripts/ifcfg-ens33"
"/etc/sysconfig/network-scripts/ifcfg-ens33"
E212: Can't open file for writing
Press ENTER or type command to continue
Now what we can do to give access………….
[root@rhel7-server ~]# visudo
Added following entries………….
user3 ALL=(ALL)
ALL ç “user3” is not in group “admins1”
%admins1 ALL=(ALL)
ALL ç all
users from group “admins1”
[raman@rhel7-server ~]$ sudo vi
/etc/sysconfig/network-scripts/ifcfg-ens33
[sudo] password for raman:
#IPV6_PEERDNS=yes ç
commented by user “raman”
#IPV6_PEERROUTES=yes ç commented by user “raman”
ALL=(ALL) ALL
What does it mean ?
User can execute from ALL terminals, acting as ALL (any)
users, and run ALL (any) command.
1. root :
This is the user(s) to whom the following “items” applies
2. ALL :
This is the place(s) where the “sudo command” can be launched
3. (ALL) :
This is the part that specify which user(s) you may act as.
4. ALL :
This is the command(s) that may be ran using the sudo command
The user root (1) can execute ALL commands (4) as ALL
users (3) from ALL places (2).
Next, what if I have to give access to 20 users to a set
of 20 commands.
20 times entry with 20 commands … ??
Right ?
Isn’t it scary … ??
What is solution ?
COMMAND ALIAS………………………………………………….
User_Alias
Cmnd_Alias
Host_Alias
Runas_Alias
[root@rhel7-server ~]# visudo
#%admins1
ALL=(ALL) /usr/sbin/fdisk, /usr/sbin/vipw, /usr/sbin/fdisk -l,
/usr/sbin/visudo
#user3 ALL=(ALL)
ALL
#%admins1
ALL=(ALL) NOPASSWD: ALL
Cmnd_Alias
TRAIN = /usr/bin/nice, /usr/bin/kill
User_Alias
TRAINUSER = araman, user3, raman
TRAINUSER ALL=TRAIN
[raman@rhel7-server ~]$ ps -ef |grep -i cron
root 685 1 0
Dec27 ? 00:00:03 /usr/sbin/crond
-n
raman 18161
17493 0 19:05 pts/1 00:00:00 grep --color=auto -i cron
[raman@rhel7-server ~]$ kill -9 685
-bash: kill: (685) - Operation not permitted
[raman@rhel7-server ~]$ sudo kill -9 685
[sudo] password for raman:
[raman@rhel7-server ~]$ kill -9 685
-bash: kill: (685) - No such process
[raman@rhel7-server ~]$ ps -ef |grep -i cron
raman 18179
17493 0 19:06 pts/1 00:00:00 grep --color=auto -i cron
[raman@rhel7-server ~]$
Where I can check the logs … ??
/var/log/secure
[root@rhel7-server ~]# cat /var/log/secure
Dec 26 17:29:29 rhel7-server sshd[13310]: Accepted
password for root from 192.168.234.1 port 1294 ssh2
Dec 26 17:29:30 rhel7-server sshd[13310]:
pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 26 17:49:03 rhel7-server sshd[13574]: Accepted
password for root from 192.168.234.1 port 1618 ssh2
Dec 26 17:49:04 rhel7-server sshd[13574]:
pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 26 17:50:04 rhel7-server sshd[13627]: Accepted
password for araman from 192.168.234.1 port 1622 ssh2
Dec 26 17:50:04 rhel7-server sshd[13627]: pam_unix(sshd:session):
session opened for user araman by (uid=0)
Dec 26 17:50:10 rhel7-server sshd[13627]:
pam_unix(sshd:session): session closed for user araman
Dec 26 17:50:13 rhel7-server sshd[13574]:
pam_unix(sshd:session): session closed for user root
Dec 26 17:56:58 rhel7-server sshd[11355]:
pam_unix(sshd:session): session closed for user root
Dec 26 18:10:33 rhel7-server useradd[14000]: new group:
name=raman, GID=1001
Dec 26 18:10:33 rhel7-server useradd[14000]: new user:
name=raman, UID=1001, GID=1001, home=/home/raman, shell=/bin/bash
Dec 26 18:10:44 rhel7-server passwd:
pam_unix(passwd:chauthtok): password changed for raman
Dec 26 18:10:44 rhel7-server passwd: gkr-pam: couldn't
update the login keyring password: no old password was entered
Dec 26 18:15:36 rhel7-server unix_chkpwd[14064]: password
check failed for user (raman)
Dec 26 18:15:36 rhel7-server sshd[14062]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.234.1 user=raman
No comments:
Post a Comment