Running sudo: Examples

using sudo

The sudo command in action under CentOS. sudo -l shows the commands user chris is allowed to run as root.

In the previous article, we configured sudo to allow user chris root privileges for the ifconfig, kill and ls commands. If chris wants to run these commands, he must first enter the sudo command, and then his password. To see if it works, do the following:

  1. Log in as user chris.
  2. To find out what commands chris has root access to, enter this:
    sudo -l
  3. If this is your first time running sudo as user chris, a warning will display:
    We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things.
    #1) Respect the privacy of others.
    #2) Think before you type.
     #3) With great power comes great responsibility.
  4. A password prompt appears. Do not enter the root password. Enter chris’s password.
  5. The commands that chris is allowed to run on this host are listed.
  6. To test your sudo configuration, you can run an ifconfig option that requires root permission without using sudo. Enter:
    /sbin/ifconfig eth0 down
    Permission is denied beceause chris is not allowed to deactivate the system’s eth0 interface.
  7. To deactivate the interface, chris must use sudo. Enter:
    sudo /sbin/ifconfig eth0 down
    You will be successful. Please note that sudo will ask for chris’s password if chris’s ticket has expired (the default is five minutes). If you run this command within five minutes from the last time, you will not be prompted for a password.
  8. Reactivate the interface by typing:
    sudo /sbin/ifconfig eth0 up
  9. Next, restart one of the httpd processes using the kill command by entering:
    ps aux | grep httpd
  10. Choose an Apache PID from the list that appears (if Apache is not installed, select a different service process to restart). Enter:
    kill -HIP (PID NUMBER)
  11. You are not allowed to restart the httpd process because you are not root.
  12. Instead, use sudo to run the command as root by entering:
    sudo kill -HUP (PID NUMBER)
    You should be successful.

  13. Next, list the root directory as chris using the ls command. Enter:
    ls /root
    Permission is denied because you are not root.
  14. Again, use sudo to run the command as root:
    sudo ls /root
    Permission is granted and the root user’s directory is displayed.
  15. To expire chris’s timestamp, enter the command sudo -k. Chris will have to enter a password the next time he uses sudo.




External Links:

ifconfig at Wikipedia
kill at Wikipedia
ls at Wikipedia

Admin Access Options in pfSense

In this follow-up to a previous article on webConfigurator options, I will look at the other Admin Access options you can configure by navigating to System -> Advanced and clicking on the Admin Access tab.

Admin Access Options: Secure Shell

Admin

SSH and serial port options in advanced settings in pfSense 2.0.

Under the “Secure Shell” heading, the first check box, “Enable Secure Shell”, enables you to login to the admin console via SSH. A terminal emulator such as xterm, Konsole, (or Putty under Windows) can be used to login. The next check box, “Disable password login for Secure Shell (RSA/DSA key only)” allows you to login with a public/private key pair instead of a password. Describing in depth how to do this is beyond the scope of this article (I have provided more detailed instructions in my article on SSH server configuration), but there are three basic steps. First, you need to generate a public/private key pair using a utility such as ssh-keygen or PuTTYGen. Second, you need to check the “Disable password login for Secure Shell” check box and save the settings. Third, you need to navigate to System -> User Manager, edit the settings for the admin account, and paste the newly-generated public key into the text box that appears when the “Click to paste an authorized key” check box is checked and save the settings. Finally, “SSH Port” enables you to change the SSH port (leave it blank for the default of 22). Changing the SSH port is often a good idea, as it makes it less likely that the admin account will be hacked via SSH.


Admin Access Options: Serial Port Access

Under the Serial Terminal heading, check the “Serial Terminal” check box to enable console access via the first serial port with settings of 9600 baud/8 bits/no parity/1 stop bit. This will redirect the console output and messages to the serial port, but you can still access the console menu from the internal video card and keyboard. A null modem serial cable or adapter is required to use the serial cable. Finally, under the Console Options heading, checking the “Password protect the console menu” will cause the console to prompt the user for a password (changes to this option will take place after a reboot) before performing admin functions.


External Links:

How to Enable SSH Access at doc.pfsense.org

Secure Shell at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy