Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Ubuntu Server

You're reading from   Mastering Ubuntu Server Gain expertise in the art of deploying, configuring, managing, and troubleshooting Ubuntu Server

Arrow left icon
Product type Paperback
Published in Dec 2020
Publisher Packt
ISBN-13 9781800564640
Length 702 pages
Edition 3rd Edition
Arrow right icon
Author (1):
Arrow left icon
Jay LaCroix Jay LaCroix
Author Profile Icon Jay LaCroix
Jay LaCroix
Arrow right icon
View More author details
Toc

Table of Contents (26) Chapters Close

Preface 1. Deploying Ubuntu Server 2. Managing Users and Permissions FREE CHAPTER 3. Managing Software Packages 4. Navigating and Essential Commands 5. Managing Files and Directories 6. Boosting Your Command-line Efficiency 7. Controlling and Managing Processes 8. Monitoring System Resources 9. Managing Storage Volumes 10. Connecting to Networks 11. Setting Up Network Services 12. Sharing and Transferring Files 13. Managing Databases 14. Serving Web Content 15. Automating Server Configuration with Ansible 16. Virtualization 17. Running Containers 18. Container Orchestration 19. Deploying Ubuntu in the Cloud 20. Automating Cloud Deployments with Terraform 21. Securing Your Server 22. Troubleshooting Ubuntu Servers 23. Preventing Disasters 24. Another Book You May Enjoy
25. Index

Configuring administrator access with sudo

By now, we've already used sudo quite a few times in this book. At this point, you should already be aware of the fact that sudo allows you to execute commands as if you were logged in as another user, with root being the default. However, we haven't had any formal discussion about it yet, nor have we discussed how to actually modify which of your user accounts are able to utilize sudo.

On all Linux systems, you should protect your root account with a strong password and limit it to be used by as few people as possible. On Ubuntu, the root account is locked anyway, so unless you unlocked it by setting a password, it cannot be used to log in to the system. Using sudo is an alternative to logging in as root to execute commands directly, so you can give your administrators access to perform tasks that require root privileges with sudo without actually giving them your root password or unlocking the root account. In fact, sudo allows you to be a bit more granular. Using root directly is basically all or nothing—if someone knows the root password and the root account is enabled, that person is not limited and can do whatever they want. With sudo, that can also be true, but you can actually restrict some users to use only particular commands and therefore limit the scope of what they are able to do on the system. For example, you could give an admin access to install software updates but not allow them to reboot the server.

By default, members of the sudo group are able to use sudo without any restrictions. Basically, members of this group can do anything root can do (which is everything). During installation, the user account you created was made a member of sudo. To give additional users access to sudo, all you would need to do is add them to the sudo group:

sudo usermod -aG sudo <username>

Not all distributions utilize the sudo group by default, or even automatically install sudo. Other distributions require you to install sudo manually and may use another group (such as wheel) to govern access to sudo.

But again, that gives those users access to everything, and that may or may not be what you want. To actually configure sudo, we use the visudo command. This command assists you with editing /etc/sudoers, which is the configuration file that governs sudo access. Although you can edit /etc/sudoers yourself with a text editor, configuring sudo in that way is strongly discouraged. The visudo command checks to make sure your changes follow the correct syntax and helps prevent you from accidentally destroying the file. This is a very good approach, because if you did make any errors in the /etc/sudoers file, you may wind up in a situation where no one is able to gain administrative control over the server. And while there are ways to recover from such a mistake, it's certainly not a very pleasant situation to find yourself in! So, the takeaway here is never to edit the /etc/sudoers file directly; always use visudo to do so.

Here's an example of the type of warning the visudo command shows when you make a mistake:

Figure 2.13: The visudo command showing an error

If you do see this error, press e to return to edit the file, and then correct the mistake.

The way this works is when you run visudo from your shell, you are brought into a text editor with the /etc/sudoers file opened up. You can then make changes to the file and save it like you would any other text file. By default, Ubuntu opens up the nano text editor when you use visudo. With nano, you can save changes using Ctrl + w, and you can exit the text editor with Ctrl + x.

So visudo allows you to make changes to who is able to access sudo. But how do you actually make these changes? Go ahead and scroll through the /etc/sudoers file that visudo opens and you should see a line similar to the following:

%sudo   ALL=(ALL:ALL) ALL 

This is the line of configuration that enables sudo access to anyone who is a member of the sudo group. You can change the group name to any that you'd like, for example, perhaps you'd like to create a group called admins instead. If you do change this, make sure that you actually create that group and add yourself and your staff to be members of it before you edit the /etc/sudoers file or log off; it would be rather embarrassing if you found yourself locked out of administrator access to the server.

Of course, you don't have to enable access by group. You can actually call out a username instead. With the /etc/sudoers file, groups are preceded by %, while users are not. As an example of this, we also have the following line in the file:

root    ALL=(ALL:ALL) ALL 

Here, we're calling out a username (in this case, root), but the rest of the line is the same as the one I pointed out before. While you can certainly copy this line and paste it one or more times (substituting root for a different username) to grant access to others, using the group approach is really the best way. It's easier to add and remove users from a group (such as the sudo group) than it is to use visudo each time.

So, at this point, you're probably wondering what the options on /etc/sudoers configuration lines actually mean. So far, both examples used ALL=(ALL:ALL) All. In order to fully understand sudo, understanding the other fields is extremely important, so let's go through them (using the root line again as an example).

The first ALL means that root is able to use sudo from any terminal. The second ALL means that root can use sudo to impersonate any other user. The third ALL means that root can impersonate any other group. Finally, the last ALL refers to what commands this user is able to do; in this case, any command he or she wishes.

To help drive this home, I'll give some additional examples. Here's a hypothetical example:

charlie    ALL=(ALL:ALL) /sbin/reboot,/sbin/shutdown 

Here, we're allowing user charlie to execute the reboot and shutdown commands. If user charlie tries to do something else (such as install a package), they will receive an error message:

Sorry, user charlie is not allowed to execute '/usr/bin/apt install tmux' as root on ubuntu. 

However, if charlie wants to use the reboot or shutdown commands on the server, they will be able to do so because we explicitly called out those commands while setting up this user's sudo access. We can limit this further by changing the first ALL to a machine name, in this case, ubuntu, to reference the host name of the server I'm using for my examples. I've also changed the command that charlie is allowed to run:

charlie    ubuntu=(ALL:ALL) /usr/bin/apt 

It's always a good idea to use full paths to commands when editing sudo permissions, rather than the shortened versions. For example, we used /usr/bin/apt here, instead of just apt. This is important, as the user could create a script named apt to do mischievous things that we normally wouldn't allow them to do. By using the full path, we're limiting the user to the binary stored at that path.

Now, charlie is only able to use apt. They can use apt update, apt dist-upgrade, and any other sub-command of apt. But if they try to reboot the server, remove protected files, add users, or anything else we haven't explicitly set, they will be prevented from doing so.

We have another problem, though. We're allowing charlie to impersonate other users. This may not be completely terrible given the context of installing packages (impersonating another user would be useless unless that user also has access to install packages), but it's bad form to allow this unless we really need to. In this case, we could just remove the (ALL:ALL) from the line altogether to prevent charlie from using the -u option of sudo to run commands as other users:

charlie    ubuntu= /usr/bin/apt

On the other hand, if we actually do want charlie to be able to impersonate other users (but only specific users), we can call out the username and group that charlie is allowed to act on behalf of by setting those values:

charlie    ubuntu=(dscully:admins) ALL

In that example, charlie is able to run commands on behalf of the user dscully and the group admins.

Of course, there is much more to sudo than what I've mentioned in this section. Entire books could be written about sudo (and have been), but 99% of what you will need for your daily management of this tool involves how to add access to users while being specific about what each user is able to do. As a best practice, use groups when you can (for example, you could have an apt group, a reboot group, and so on) and be as specific as you can regarding who is able to do what. This way, you're not only able to keep the root account private (or even better, disabled), but you also have more accountability on your servers.

Now that we've explored granting access to sudo, we will next take a look at permissions, which give us even more control over what our users are able to access.

You have been reading a chapter from
Mastering Ubuntu Server - Third Edition
Published in: Dec 2020
Publisher: Packt
ISBN-13: 9781800564640
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime