Monday, May 11, 2015

Notes about Administrator Users in CentOS/RHEL 7

1. To prevent users from logging in directly as root, including yourself!, you can set the root's shell in /etc/passwd file to /sbin/nologin

2. To limit access of users to run su command is adding administrators to an admin group entitled "wheel":
# usermod -G wheel behnam
Then we need to only allow these admin users to run su. So edit the PAM config file for su which is located at /etc/pam.d/su. You should open /etc/pam.d/su file and uncomment the following line by removing the hash mark:

  auth           required use_uid

3. Only the users listed in /etc/sudoers file can to use the sudo command. 

Note: Each successful authentication by sudo will be logged to /var/log/messages and the command issued by the user will be logged logged to /var/log/secure logfile. 

The main advantage of the sudo is that different users can access to only specific commands based on their permissions. You can edit /etc/sudoers by using visudo command to do this. 

For example to give a user full privileges, enter visudo and add the following line in the user privilege section:

  behnam ALL=(ALL) ALL

It means now behnam can use sudo command from any host and can execute any command. 

Or by adding the following line to sudoers file in /etc

  %users localhost=/sbin/systemctl shutdown -r now

Any user can run /sbin/systemctl shutdown -r now as long as it is entered through the console.

In CentOS, sudo stores the sudoer's password for just 5 minutes. If you use it during this period. it will not prompt for a password. This setting can be changed by adding the following line to the sudoers file in /etc:

  Defaults    timestamp_timeout=value

Setting the value to 0 causes sudo to require a password every time. 

Very important: If a user account with sudoer's privilege is compromised, the attacker/cracker can use sudo to open a new shell with full rights by typing the following command: 
# sudo /bin/bash

Opening such a shell as root in such cases gives the attacker/cracker administrative access for ever! 

Labels: , , , ,