Professional Documents
Culture Documents
Lainnya
http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...
Blog Berikut
Buat Blog
Masuk
Solaris Unlimited
Login...
Dig...
Share...
Total Pageviews
4 6 0 7 4
About Me
Substitute User Do a normal user is granted a privilege to execute root owned chosen commands (based on the users day today role) reside under
/usr/sbin directory.
Why SUDO?
1.
Delegating the chosen root owned commands to a privilege user, reduce the roots load adding the security feature. The privilege user can execute
only the commands granted.
2.
If a virus, worm or malicious script tries to run on a Unix system it cannot gain necessary privileges without the user typing sudo. This prevents a lot
of malware from running without notifying the user.
3.
Another nice thing about sudo is that I type in MY Password, not roots, to gain the root privileges. So if my account gets compromised, we still have
not compromised the root account.
4.
Logs both the successful and failure execution of commands leaving a track for event record.
And now, why SUDO on Solaris 10? Does Solaris 10 opt with such feature?
Yes. Solaris 10 have such a feature RBAC (Role Based Access Control).
SUDO packages has to be downloaded and installed manually in Solaris 10 as it is NOT available on the Solaris 10 OS installation media. (SUDO is
available by default in Solaris 11).
From my perspective, even though RBAC has more feature and secure password (RBAC, Roles do have a password. So user needs login password
and role password to execute the granted commands), administering RBAC is more complex than SUDO.
Only /usr/local/etc/sudoers is the configuration file that has to be configured nor to be modified.
Whereas, RBAC involves with /etc/user_attr, /etc/security/auth_attr, /etc/security/prof_attr and /etc/security
/exec_attr files.
Manickam
Kamalakkannan
Follow
libgcc-3.4.6-sol10-x86-local.gz
gcc-3.4.6-sol10-x86-local.gz
libintl-3.4.0-sol10-x86-local.gz
Blog Archive
db-4.2.52.NC-sol10-intel-local.gz
2015 (1)
make-3.82-sol10-x86-local.gz
wget-1.12-sol10-x86-local.gz
2014 (1)
sudo-1.7.4p4-sol10-x86-local.gz
TCMsudo-1.7.4p4-i386.pkg.gz
sudo-1.6.9p23.tar
SUDO packages to be installed on SPARC:libiconv-1.13.1-sol10-sparc-local.gz
libgcc-3.4.6-sol10-sparc-local.gz
gcc-3.4.6-sol10-sparc-local.gz
libintl-3.4.0-sol10-sparc-local.gz
db-4.2.52.NC-sol10-sparc-local.gz
make-3.82-sol10-sparc-local.gz
sudo-1.7.4p4-sol10-sparc-local.gz
2013 (7)
December
(2)
Conguring
RBAC
(Role
Based
Access
Control)
on
So...
Conguring
SUDO
on
Solaris
10...!!!
August (3)
July (1)
February (1)
2012 (4)
TCMsudo-1.7.4p4-sparc.pkg
2011 (12)
sudo-1.6.9p23.tar
zlib-1.2.5-sol10-sparc-local.gz
2010 (22)
Followers
2009 (14)
How?
I wish to recommend the downloaded packages to install in the following order
bash-3.00# pkgadd -d libiconv-1.13.1-sol10-x86-local
bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local
bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local
Only after the successful installation of the above 2 packages /usr/local/etc/sudoers file will be generated.
bash-3.00# cd sudo-1.6.9p23
bash-3.00# ls configure
configure
1 of 4
Subscribe To
Posts
10/6/15, 11:08 AM
http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...
Comments
## or netgroups.
# User_Alias
Guys, kindly note User_Alias, Cmd_Alias, Host_Alias variable should NOT be same.
## Cmnd alias specification
##
## Groups of commands.
# Cmnd_Alias
#
Where
Cmnd_Alias is the key word state that we are defining the command alias names.
USERAMIN, SYSADMIN_CMDS is the command alias variable.
Command alias variable is mapped with several commands (Here for instance: /usr/sbin/useradd, /usr/bin/passwd,/usr/sbin/groupadd,
/usr/sbin/gropmod, /usr/sbin/groupdel, /usr/sbin/usermod, /usr/userdel, /usr/sbin/init, /usr/sbin/shutdown,
/usr/sbin/reboot, /usr/sbin/halt).
2 of 4
10/6/15, 11:08 AM
http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...
Where
New_User Existing user login name
ALL = Terminals user can execute from
Followed with commands granted to the user to execute, or the command alias (all the commands mapped to the command alias can be executed by the
user).
Note:
1.
By default, sudo command will cache the password for 5 min for each command so its not necessary to enter password again for the same
command until the cache password expires.
2.
/etc/sudoers file will be read each time when the command is being executed.
The modification (restricting/adding commands to the existing user) done on the /etc/sudoers file will come into effect immediately.
3.
If wished, do not want the user to be asked for their password when running sudo:
USER ALL= (ALL) ALL NO PASSWD: ALL
Possible, but not a good idea! :)
By default all the activity performed through sudo will be logged to /var/adm/messages file.
However, it can be customized. Can sudo logs to a specific file. But make sure that file is created and granted with valid file permissions.
Here, Im customizing the sudo logs to the file : /var/log/sudo_log
# Defaults log_output
Defaults logfile=/var/log/sudo_log
(Output Truncated)
From the above logs, its very clear that both the successful and failure events are logged.
3 of 4
10/6/15, 11:08 AM
http://solaris-unlimited.blogspot.co.id/2013/12/configuring-su...
Now I guess that we are bit familiar with configuration of sudo and its features.
Even though RBAC had some hurdle, let me come with RBAC configuration on my next post :)!!!
Reac@ons:
2 comments:
Anonymous September
25,
2014
at
10:00
AM
Freeware
is
not
working
to
down
load
can
you
sugget
a
direnet
source
to
dowload
the
sudo
pakages
Reply
Manickam Kamalakkannan
Hi
Anonymous,
I
s@ll
able
to
nd
and
download
the
packages
from
the
link.
Please
try
again.
Try
these
links
too
:
hhp://sunfreeware.saix.net/
hhp://www.sudo.ws/
Good
Luck.
Reply
Comment as:
Publish
Select profile...
Preview
Home
Older Post
Copyright
The contents of this page is not affiliated with Sun Microsystems /Oracle Corporation affiliates. Any tips/information offered up here can be followed at your own risk. I will
not be responsible for any loss of data, time, or any other damage occurred by following any information on this page. They seemed to work for me, but your mileage may
vary.
2009 Manickam Kamalakkannan
4 of 4
10/6/15, 11:08 AM