Embracing sudo
Sudo is a wonderful utility with a lot of flexibility. However, that flexibility comes at a price, mainly in the form of rough edges. Here are a few things that I've done to remove those rough edges and embrace sudo to benefit from it's flexibility.
- Gaining an understanding of what sudo is and is not.
- Using the PAM module for authentication with ssh-agent.
- Environment customizations to simplify / mask interactions with sudo.
To gain an understanding of what sudo is and is not, I highly recommend you read Michael W Lucas's Sudo Mastery. (See my Sudo Mastery post for more details.) You can always pick up a lot of very detailed information on sudo from the official Sudo Main Page. Last but not least there is the sudo man (8) page. I'd also recommend that you spend some time playing with sudo and the sudoers file on a non-critical system. Nothing teaches quite like experience.
One of the biggest game changers for me, as far as security is concerned, is using a the PAM module for authentication with the ssh-agent. With the PAM module installed and configured, sudo can authenticate using your ssh key(s). This means that you can take full advantage of sudo without being prompted for a password while still having the same level of security as if you were prompted for a password. (Because in effect you were. Or said another way, your ssh-agent was on your behalf.)
To install the PAM module for authentication with ssh-agent on RHEL / CentOS, run the following command:
yum install pam_ssh_agent_auth
To configure the PAM module for authentication with ssh-agent, edit your /etc/pam.d/sudo and /etc/pam.d/sudo-i files so that they look like the following.
#%PAM-1.0 auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so
#%PAM-1.0 auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so
Now that you are able to use the PAM module for authentication with ssh-agent, let's remove some of the other rough(er) edges from using sudo. I find it very annoying to have to type "sudo" in front of commands that I routinely use that require root privileges.
sudo yum check-update
So, being the unix user that I am and believing in customizing my environment the way that I do, I created an alias so that I don't have to type "sudo".
alias yum='/usr/bin/sudo /usr/bin/yum'
With this alias and (many) others like it, I can now happily and easily issue commands that I routinely use that require root privileges from my normal user account with out any problems.
One final thing that I've wondered about doing for other users, specifically DBAs that need to run commands as the Oracle user. This means that the Oracle DBA(s) could log in with their individual IDs and be able to run Oracle commands as if they were the oracleUser.
alias crsctl="/usr/bin/sudo -u oracleUser /u01/app/11.2.0.3/grid/bin/crsctl"
Customizing the environment removes some of the rough(er) edges from using sudo, if not making it faster and easier (lack of password prompts, having to change users, etc) and retains the benefit of running commands through sudo. Specifically, sudo's granular control over commands and it's logging (to a file that can't be edited like shell history files can).