1
00:00:06,540 --> 00:00:07,620
- Alright, in this video,

2
00:00:07,620 --> 00:00:11,280
we are going to explore some
configuration options for sudo.

3
00:00:11,280 --> 00:00:14,340
To start with, there is visudo.

4
00:00:14,340 --> 00:00:19,050
Visudo is opening the
/etc/sudoers configuration file

5
00:00:19,050 --> 00:00:21,180
using the default editor.

6
00:00:21,180 --> 00:00:24,630
And in this /etc/sudoers
configuration file,

7
00:00:24,630 --> 00:00:28,890
you can create whatever
configuration you want.

8
00:00:28,890 --> 00:00:31,890
Alternatively, you can use drop-in files

9
00:00:31,890 --> 00:00:34,920
to the /etc/sudoers.d directory.

10
00:00:34,920 --> 00:00:38,010
That's a generic approach that
you will see a lot in Linux.

11
00:00:38,010 --> 00:00:40,290
There's a generic configuration file

12
00:00:40,290 --> 00:00:42,300
but this generic configuration file

13
00:00:42,300 --> 00:00:44,460
is often managed by packages,

14
00:00:44,460 --> 00:00:46,590
which means that if
you update your system,

15
00:00:46,590 --> 00:00:50,070
your generic configuration
file might also get updated.

16
00:00:50,070 --> 00:00:54,810
And that is why the drop-in
directly can be a nice solution.

17
00:00:54,810 --> 00:00:57,930
So the configuration file
is corresponding directly.

18
00:00:57,930 --> 00:01:01,260
Typically the name is
etc, name of the file, .d,

19
00:01:01,260 --> 00:01:05,640
you drop a file in there, and
it will be considered as well.

20
00:01:05,640 --> 00:01:07,170
And this is the kind of content

21
00:01:07,170 --> 00:01:09,600
that you wanna have in
your configuration file.

22
00:01:09,600 --> 00:01:12,090
Like %wheel, ALL is ALL, ALL.

23
00:01:12,090 --> 00:01:15,060
That is what on a RHEL based
system enables sudo access

24
00:01:15,060 --> 00:01:18,603
for all users that are a
member of the group wheel.

25
00:01:19,710 --> 00:01:21,030
There's also these other options.

26
00:01:21,030 --> 00:01:22,950
So you will see it commented out

27
00:01:22,950 --> 00:01:26,520
in the sudoers configuration
file, wheel, ALL is ALL,

28
00:01:26,520 --> 00:01:31,350
NOPASSWD:ALL, I am calling
it the stupid option

29
00:01:31,350 --> 00:01:36,150
because it grants members
of the group wheel,

30
00:01:36,150 --> 00:01:38,730
sudo superpowers without the need

31
00:01:38,730 --> 00:01:42,360
to enter a password, and
that's very dangerous.

32
00:01:42,360 --> 00:01:44,730
So can you please never use that.

33
00:01:44,730 --> 00:01:49,200
I do get a point why users
want to use something like this

34
00:01:49,200 --> 00:01:54,200
because if you use sudo, then
there is a credentials cache.

35
00:01:56,400 --> 00:01:57,233
How does it work?

36
00:01:57,233 --> 00:01:58,800
Well, if you type sudo you are prompted

37
00:01:58,800 --> 00:02:00,780
for a password at the
moment that you prompt

38
00:02:00,780 --> 00:02:05,780
your sudo enabled user
password, a token is generated

39
00:02:05,880 --> 00:02:09,570
and this token is valid
for a few minutes only,

40
00:02:09,570 --> 00:02:11,130
which means that if immediately

41
00:02:11,130 --> 00:02:14,610
after you type a new sudo
command, now you're okay.

42
00:02:14,610 --> 00:02:18,510
But if 10 minutes later,
you type new sudo command

43
00:02:18,510 --> 00:02:20,910
you need to enter your password again.

44
00:02:20,910 --> 00:02:23,580
I can get it that people
think that is annoying.

45
00:02:23,580 --> 00:02:26,970
And maybe you want to
increase the validity

46
00:02:26,970 --> 00:02:28,860
of your token a little bit.

47
00:02:28,860 --> 00:02:31,470
You can do that by
including the following line

48
00:02:31,470 --> 00:02:33,930
in your sudoers configuration.

49
00:02:33,930 --> 00:02:37,170
That is default timestamp type is global,

50
00:02:37,170 --> 00:02:40,140
timestamp timeout is 240.

51
00:02:40,140 --> 00:02:43,320
That will make your token
valid for four hours

52
00:02:43,320 --> 00:02:45,810
or the lifetime of your current session.

53
00:02:45,810 --> 00:02:46,770
So what does that mean?

54
00:02:46,770 --> 00:02:49,110
That means if you come to
the office in the morning

55
00:02:49,110 --> 00:02:51,300
you need to do many tasks as root

56
00:02:51,300 --> 00:02:53,310
you enter your sudo password once,

57
00:02:53,310 --> 00:02:55,830
you start working, you go have lunch,

58
00:02:55,830 --> 00:02:57,060
you get back from lunch,

59
00:02:57,060 --> 00:02:59,460
you need to enter your sudo password again

60
00:02:59,460 --> 00:03:02,670
and it will be valid for
the entire afternoon.

61
00:03:02,670 --> 00:03:05,280
Entering a sudo password every four hours

62
00:03:05,280 --> 00:03:08,820
to me sounds reasonable,
entering the sudo password

63
00:03:08,820 --> 00:03:11,430
every five minutes is annoying

64
00:03:11,430 --> 00:03:14,430
and disabling the requirement
of using passwords

65
00:03:14,430 --> 00:03:17,130
at all, is just dangerous.

66
00:03:17,130 --> 00:03:18,810
Let's go check out a couple of things

67
00:03:18,810 --> 00:03:20,343
in the sudo configuration.

68
00:03:22,170 --> 00:03:25,050
So to start it, I'm using visudo

69
00:03:25,050 --> 00:03:27,330
and oh no, I'm getting permission denied.

70
00:03:27,330 --> 00:03:29,190
Of course, I'm getting permission denied.

71
00:03:29,190 --> 00:03:32,460
I'm running a command to
change sudo configuration

72
00:03:32,460 --> 00:03:35,087
so I need sudo visudo.

73
00:03:36,780 --> 00:03:39,843
I'm being prompted for my
password and here we can see

74
00:03:39,843 --> 00:03:42,270
that I'm getting in the default editor

75
00:03:42,270 --> 00:03:46,470
which is VI by the way, in CentOS.

76
00:03:46,470 --> 00:03:49,440
The CentOS default file has many commands

77
00:03:49,440 --> 00:03:51,450
to explain how to use it.

78
00:03:51,450 --> 00:03:54,450
The most useful part is all
the way down to the bottom.

79
00:03:54,450 --> 00:03:56,520
What do we see all the
way down to the bottom?

80
00:03:56,520 --> 00:03:57,990
We see this include there

81
00:03:57,990 --> 00:04:00,000
which is including the directory.

82
00:04:00,000 --> 00:04:02,760
Here we see the line that is making sure

83
00:04:02,760 --> 00:04:06,600
that members of the group
wheel, can do everything.

84
00:04:06,600 --> 00:04:08,820
And we also see another line.

85
00:04:08,820 --> 00:04:10,710
I like this line and you know what?

86
00:04:10,710 --> 00:04:14,550
I'm going to show you one
small modification based

87
00:04:14,550 --> 00:04:16,740
on what we see right here.

88
00:04:16,740 --> 00:04:20,070
I am going to make sure that user Linda

89
00:04:20,070 --> 00:04:25,070
on local host is allowed
to use user/bin/passwd.

90
00:04:27,480 --> 00:04:31,080
Just to show you that you
can also use sudo privileges

91
00:04:31,080 --> 00:04:33,420
to users to grant the user access

92
00:04:33,420 --> 00:04:37,080
to one single command
or a couple of commands.

93
00:04:37,080 --> 00:04:40,707
Like user/sbin/useradd.

94
00:04:41,940 --> 00:04:45,780
So user Linda can do
user management, okay,

95
00:04:45,780 --> 00:04:48,930
user/sbin/usermod for instance,

96
00:04:48,930 --> 00:04:51,330
three commands for user Linda.

97
00:04:51,330 --> 00:04:56,330
Oh, and also I wanna take care
of this authentication token.

98
00:04:56,370 --> 00:05:00,543
So I'm adding defaults followed by,

99
00:05:01,950 --> 00:05:02,823
timestamp,

100
00:05:04,800 --> 00:05:07,570
timestamp_type is global

101
00:05:08,678 --> 00:05:13,678
and timestamp_timeout

102
00:05:14,070 --> 00:05:16,560
is 240.

103
00:05:16,560 --> 00:05:19,080
And in case you are thinking,
hey Sandy, you make a typo.

104
00:05:19,080 --> 00:05:20,070
I do that on purpose

105
00:05:20,070 --> 00:05:22,293
because I want to show
you what's happening.

106
00:05:23,190 --> 00:05:25,350
So what do do we see?

107
00:05:25,350 --> 00:05:26,880
We see, oh no, oh no.

108
00:05:26,880 --> 00:05:31,293
Default entry, timestamp,
timeout, visudo makes sure

109
00:05:31,293 --> 00:05:36,293
that you cannot make any typos
in your configuration file.

110
00:05:37,020 --> 00:05:39,120
You get a warning if that is happening.

111
00:05:39,120 --> 00:05:42,810
So it's asking what now,
and I don't know what now.

112
00:05:42,810 --> 00:05:44,610
So I just enter the question mark

113
00:05:44,610 --> 00:05:47,550
and then it's telling me
which options I've got.

114
00:05:47,550 --> 00:05:50,130
Well, my option is to use e for edit.

115
00:05:50,130 --> 00:05:52,200
There we go, e for edit.

116
00:05:52,200 --> 00:05:55,620
And now I get back to the
line that I last edited

117
00:05:55,620 --> 00:05:57,213
and I'm adding the u.

118
00:05:58,290 --> 00:06:01,020
If you use uppercase D to
go to the bottom of the line

119
00:06:01,020 --> 00:06:03,420
we still can see user Linda.

120
00:06:03,420 --> 00:06:04,976
So that is good.

121
00:06:04,976 --> 00:06:07,710
Now the sudo configuration has changed.

122
00:06:07,710 --> 00:06:12,510
Now let's test, let's test
this user Linda abilities.

123
00:06:12,510 --> 00:06:16,590
So I'm using sudo passwd on
Linda, I never set a password

124
00:06:16,590 --> 00:06:20,400
for user Linda and user
root can set passwords.

125
00:06:20,400 --> 00:06:22,380
So in order to do that I first need

126
00:06:22,380 --> 00:06:25,710
to enter my own password
and then I can enter

127
00:06:25,710 --> 00:06:28,410
the password for user Linda.

128
00:06:28,410 --> 00:06:30,360
It's complaining that it's a bad password.

129
00:06:30,360 --> 00:06:31,800
I don't care about it.

130
00:06:31,800 --> 00:06:35,130
I like using this password, so here we go.

131
00:06:35,130 --> 00:06:37,440
Now I need to test,
how am I going to test?

132
00:06:37,440 --> 00:06:40,920
By opening a cell as
user Linda, look at that,

133
00:06:40,920 --> 00:06:42,840
su minus Linda.

134
00:06:42,840 --> 00:06:45,870
We'll open a sub cell as user Linda.

135
00:06:45,870 --> 00:06:47,760
So I don't need to log out or anything

136
00:06:47,760 --> 00:06:51,990
at this point, I have a cell
in which I am user Linda

137
00:06:51,990 --> 00:06:54,853
and user Linda is going
to use sudo passwd.

138
00:06:56,730 --> 00:07:00,760
Now let's do sudo useradd, Bob

139
00:07:02,583 --> 00:07:05,940
and user Linda is entering the password

140
00:07:05,940 --> 00:07:08,160
and oh, boy, what do we get?

141
00:07:08,160 --> 00:07:11,790
We get, Linda is not allowed
to run sudo on CentOS.

142
00:07:11,790 --> 00:07:13,890
This incident will be reported.

143
00:07:13,890 --> 00:07:16,800
What is going on?

144
00:07:16,800 --> 00:07:19,080
Well, we need to investigate

145
00:07:19,080 --> 00:07:24,080
and we need to investigate by
doing our sudo visudo again.

146
00:07:25,091 --> 00:07:27,810
And what I don't like
about this Linda line,

147
00:07:27,810 --> 00:07:31,500
I don't like the location
where we've got it.

148
00:07:31,500 --> 00:07:35,460
So I'm going to move it
from the current location

149
00:07:35,460 --> 00:07:37,980
just by deleting it in
VI, you can do that.

150
00:07:37,980 --> 00:07:41,220
And I'm going to move it up a little bit.

151
00:07:41,220 --> 00:07:42,990
Here we go, I'm pasting it.

152
00:07:42,990 --> 00:07:45,810
And we are going to try it again.

153
00:07:45,810 --> 00:07:48,900
Also, I'm going to change local host.

154
00:07:48,900 --> 00:07:51,810
Now that I'm here anyway, I
want to change local hosts

155
00:07:51,810 --> 00:07:54,600
to all I don't care where
user Linda is coming

156
00:07:54,600 --> 00:07:57,540
from, from all hosts she should be able

157
00:07:57,540 --> 00:07:59,520
to run these commands.

158
00:07:59,520 --> 00:08:01,470
And now just to make sure,

159
00:08:01,470 --> 00:08:05,760
we should verify which
passwd, user/bin/passwd,

160
00:08:05,760 --> 00:08:10,560
that's alright, which
useradd, user/sbin/useradd.

161
00:08:10,560 --> 00:08:12,000
That's alright as well.

162
00:08:12,000 --> 00:08:16,146
And which usermod, user/sbin/usermod.

163
00:08:16,146 --> 00:08:19,320
In sudo you need to be
specific about the path.

164
00:08:19,320 --> 00:08:23,190
Now, let me open this
user Linda cell again,

165
00:08:23,190 --> 00:08:24,693
su minus Linda.

166
00:08:25,980 --> 00:08:27,000
There we go.

167
00:08:27,000 --> 00:08:28,950
I'm typing, who am I?

168
00:08:28,950 --> 00:08:31,260
And I can see I'm user Linda.

169
00:08:31,260 --> 00:08:35,970
So sudo useradd Bob, is it working now?

170
00:08:35,970 --> 00:08:39,420
Well, let me enter the
password and now it is working.

171
00:08:39,420 --> 00:08:41,190
What did we just learn?

172
00:08:41,190 --> 00:08:44,250
We just learnt that in
the sudo configuration

173
00:08:44,250 --> 00:08:49,250
you cannot have any additional
configuration below the line

174
00:08:49,290 --> 00:08:52,653
that includes the etc/sudoers.d.

175
00:08:54,090 --> 00:08:58,170
Let's do sudo passwd,
I'm still user Linda.

176
00:08:58,170 --> 00:09:03,170
So sudo passwd, Bob and I am
going to set this password

177
00:09:03,600 --> 00:09:04,980
for user Bob.

178
00:09:04,980 --> 00:09:06,360
That's successful.

179
00:09:06,360 --> 00:09:11,360
Now have a look at the
following, sudo passwd root.

180
00:09:13,470 --> 00:09:18,470
Changing password for user
root, fails the dictionary check

181
00:09:18,717 --> 00:09:23,610
and oh no, Linda just edited
the password for user root.

182
00:09:23,610 --> 00:09:25,590
We need to do something about it.

183
00:09:25,590 --> 00:09:26,423
Can we?

184
00:09:26,423 --> 00:09:27,420
Yes, we can.

185
00:09:27,420 --> 00:09:29,010
How are we going to do that?

186
00:09:29,010 --> 00:09:30,330
Well, I am getting back

187
00:09:30,330 --> 00:09:34,200
to my visudo and what am I going to do?

188
00:09:34,200 --> 00:09:37,620
I am going to include one more option.

189
00:09:37,620 --> 00:09:42,620
And that is the option
where I'm specifying not,

190
00:09:42,660 --> 00:09:47,660
exclamation mark is for not,
not user/bin/passwd root.

191
00:09:50,820 --> 00:09:52,199
That's how I want to do it.

192
00:09:52,199 --> 00:09:54,540
So, Linda can run the passwd command

193
00:09:54,540 --> 00:09:57,240
but not user/passwd root.

194
00:09:57,240 --> 00:10:00,330
And then we have this
user/sbin/useradd and so on,

195
00:10:00,330 --> 00:10:01,620
and that is alright.

196
00:10:01,620 --> 00:10:02,910
Now, let me get back

197
00:10:02,910 --> 00:10:07,080
to the Linda cell, su Linda, there we go.

198
00:10:07,080 --> 00:10:12,080
And in the Linda cell I am
going to use sudo/passwd root

199
00:10:13,590 --> 00:10:18,590
and uh-oh, Linda is not allowed
to execute bin/passwd root

200
00:10:18,630 --> 00:10:20,160
as root on CentOS.

201
00:10:20,160 --> 00:10:23,310
How about sudo passwd, Bob?

202
00:10:23,310 --> 00:10:25,650
Changing password for user Bob.

203
00:10:25,650 --> 00:10:28,500
So in sudo, if you are
going to work with sudo

204
00:10:28,500 --> 00:10:31,410
if you are going to create
help desk kind of people,

205
00:10:31,410 --> 00:10:34,860
make sure you configure this exclusion

206
00:10:34,860 --> 00:10:37,140
so that the user is not capable

207
00:10:37,140 --> 00:10:41,010
of setting the password for the root user.

208
00:10:41,010 --> 00:10:42,760
And that is how you work with sudo.