[ sudo 권한획득 ] [01] sudo? [02] sudo 실무활용 [01] sudo? sudo(superuser do) 명령어는일반사용자가특정명령어를다른사용자의권한으로실행한다. sudo 명령어는 /etc/sudoers 파일에설정되어있는허가된사용자들에한하여시스템최고관리자 (superuser) 인 root 사용자또는다른사용자의명령어를사용할수있도록허용하는명령어이다. 예를들어일반사용자에게 CD-ROM 마운트를허용하여 CD-ROM 을사용할수있도록할수있으며또한그룹에게 ( 시스템의특정관리그룹사용자들에게 ) 시스템의관리를위한시스템종료명령어인 shutdown 등의명령어를사용할수도있다. # su - doom $ /sbin/shutdown -r now shutdown: you must be root to do that! sudo 명령어는 /etc/sudoers 파일과반드시함께익혀두어야한다. [ 참고 ] /etc/sudoers 파일을편집하려면아래두개의명령어를이용한다. # visudo /* /etc/sudoers 파일을 vi 명령어로읽는다. */ # vi /etc/sudoers /* 위두개의파일같은것이다. */ < 명령어위치 > : /usr/bin/sudo < 사용형식 > : sage: sudo -h -K -k -L -l -V -v usage: sudo [-behps] [-p prompt] [-u username #uid] [VAR=value] {-i -s <command>} usage: sudo -e [-S] [-p prompt] [-u username #uid] file...
[02] sudo 실무활용 특정사용자에게시스템의모든명령어를사용하도록설정 (01) /etc/shadow 파일사용허가설정 /etc/shadow 파일은 root 계정만읽기가가능하다! # ls -al /etc/sudoers -r-------- 1 root root 1151 8 월 31 16:13 /etc/shadow # /* root 계정으로접속확인 */ # su - doom /* doom 계정으로사용자전환 */ $ id /* 자신의 id 를확인 */ uid=500(doom) gid=500(doom) groups=500(doom) $ sudo vi /etc/shadow We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. 암호 : itclass /* doom 계정의암호를넣는다! */ doom is not in the sudoers file. This incident will be reported. doom 사용자는 /etc/sudoers 안에설정이되어있지않았기때문에실행되지않는다. 로그확인 (root 계정으로로그확인 ) # grep sudoers /var/log/secure Sep 21 14:38:21 localhost sudo: doom : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/doom ; USER=root ; COMMAND=/bin/vi /etc/shadow < 실습 > doom 사용자를 /etc/shadow 파일을수정할수있도록변경 # cp /etc/sudoers /etc/sudoers_old /* sudoers 원본백업 */ # vi /etc/sudoers ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty
Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL /* 76 Line */ doom ALL=(ALL) ALL /* 77 Line 에동일하게추가 */ ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now /* 그림과같이작업 */
doom 계정으로로그인한다음에 /etc/shadow 파일을수정할수있는지확인 # su - doom $ sudo vi /etc/shadow 암호 : itclass /* doom 계정의암호 */ root:$1$76y5lylb$.omw86gnsqliy3lsgjaq70:14484:0:99999:7::: bin:*:14484:0:99999:7::: daemon:*:14484:0:99999:7::: ( 이하생략 ) [ 참고 ] 위 " 암호 :" 를물어보면 root 사용자의암호가아니라, doom 사용자의암호이다! 특정그룹 (wheel 그룹 ) 에등록된사용자의 CD-ROM 마운트허용설정 리눅스시스템에는기본적으로 wheel 그룹이있는데이그룹의사용자들은대부분 " 시스템관리그룹 " 에속한사용자들이다. # su - root 암호 : itclass # grep wheel /etc/group wheel:x:10:root doom 사용자가 mount 하는예를먼저보자! # su - doom $ id uid=500(doom) gid=500(doom) groups=500(doom) $ mkdir /mnt/cdrom mkdir: `/mnt/cdrom' 디렉토리를만들수없습니다 : 허가거부됨 [ 참고 ] 일반사용자는 / ( 루트디렉토리 ) 에디렉토리를만들수없게되어있다! [ 준비사항 ] 원격접속 putty 터미널창을두개필요 : 하나는 root 계정으로다른하나는 user01 계정으로로그인하고실습을하면편하다! root 계정으로로그인후작업 # su - root # mkdir /mnt/cdrom user01 계정으로로그인후작업 $ su - user01 암호 : itclass
$ sudo mount -t iso9660 /dev/cdrom /mnt/cdrom mount: 매개물이없음 /* Vmware 에서 CentOS-5.3-i386-bin-DVD.iso 이미지파일이나, CD 를넣어준다! */ $ sudo mount -t iso9660 /dev/cdrom /mnt/cdrom We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. 암호 : itclass /* user01 계정의암호 */ user01 is not in the sudoers file. This incident will be reported. root 계정으로로그인후작업 # visudo /* vi 84 Line 이동 */ ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL %wheel ALL=/bin/mount -t iso9660 /dev/cdrom /mnt/cdrom,/bin/umount /mnt/cdrom ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL /* 라인추가 */ 작업을다하고 ":wq!" 저장하고나가는데 syntax error( 문법오류 ) 나오면서어떻게할것인지를물어본다! >>> sudoers file: syntax error, line 83 <<< What now? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!) What now? e /* e 키를누르고잘못된부분을다시수정하자! ( 띄어쓰기에주의하자!) */ [ 추가작업 ] /bin/mount 와 /bin/umount 명령어를사용하려면 /etc/group 파일의 wheel 그룹에등록되어있어야한다. # grep wheel /etc/group wheel:x:10:root # vi /etc/group /* vi Line 11 줄이동, user01 계정추가 ( 앞에, 로구분한다!) */ kmem:x:9: wheel:x:10:root,user01 mail:x:12:mail
# grep wheel /etc/group wheel:x:10:root,user01 user01 계정으로로그인후작업 $ sudo mount -t iso9660 /dev/cdrom /mnt/cdrom 암호 : itclass /* user01 암호입력 */ mount: block device /dev/cdrom is write-protected, mounting read-only $ mount /dev/sda3 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda8 on /data1 type ext3 (rw) /dev/sda7 on /data2 type ext3 (rw) /dev/sda6 on /data3 type ext3 (rw) /dev/sda5 on /home type ext3 (rw) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) /dev/hdc on /mnt/cdrom type iso9660 (ro) $ cd /mnt/cdrom $ ls /* 정상적으로마운트됐는지확인 */ CentOS RELEASE-NOTES-en_US RELEASE-NOTES-pt_BR EULA RELEASE-NOTES-en_US.html RELEASE-NOTES-pt_BR.html GPL RELEASE-NOTES-es RELEASE-NOTES-ro NOTES RELEASE-NOTES-es.html RELEASE-NOTES-ro.html RELEASE-NOTES-cs RELEASE-NOTES-fr RPM-GPG-KEY-CentOS-5 RELEASE-NOTES-cs.html RELEASE-NOTES-fr.html RPM-GPG-KEY-beta RELEASE-NOTES-de RELEASE-NOTES-ja TRANS.TBL RELEASE-NOTES-de.html RELEASE-NOTES-ja.html images RELEASE-NOTES-en RELEASE-NOTES-nl isolinux RELEASE-NOTES-en.html RELEASE-NOTES-nl.html repodata
특정그룹멤버에게모든명령어허용 [ 주의 ] 위험한설정일수있으나, 유용한면이있기때문에, 시스템관리자를잘알고설정하기바란다! # grep wheel /etc/group /* 현재 wheel 그룹에설정된내용 */ wheel:x:10:root,user01 root 계정으로전환하여작업 $ su - root 암호 : itclass 위의 wheel 그룹에속한모든사용자들에게모든명령어를허용하게해보자! ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL 위는기본설정값으로 sudo 명령어를실행하더라도암호를물어볼것이다. 아래처럼설정하면암호를물어보지않고바로실행할수있다. # visudo /* vi 86 번라인이동 */ ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL /* 위문장제일앞에 # ( 주석문 ) 부분을제거한다! */ # su - user01 $ cat /etc/shadow cat: /etc/shadow: 허가거부됨 $ sudo cat /etc/shadow root:$1$76y5lylb$.omw86gnsqliy3lsgjaq70:14484:0:99999:7::: bin:*:14484:0:99999:7::: daemon:*:14484:0:99999:7::: /* 암호물어보지않고바로보이는것을확인 */
특정그룹사용자들에게시스템 shutdown 명령어설정 root 계정만이할수있었던 shutdown 명령어를 wheel 그룹에속한모든사용자들이할수있게설정해보자! # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) # vi /etc/sudoers #2009-10-28 edited by leesangchul %whell localhost=/sbin/shutdown -r now /* 마지막줄에위와같이추가 */ # grep wheel /etc/group wheel:x:10:root,user01 # su - user01 $ reboot reboot: must be superuser. $ sudo /sbin/shutdown -r now Broadcast message from root (pts/0) (Mon Sep 21 16:49:06 2009): The system is going down for reboot NOW! 원상복귀 # ls -al /etc/sudoers* -r--r----- 1 root root 3183 9 월 30 12:50 /etc/sudoers -r--r----- 1 root root 3183 9 월 30 12:52 /etc/sudoers_old # cp /etc/sudoers_old /etc/sudoers cp: overwrite `/etc/sudoers'? y
sudo 명령어의보안우리가지금까지공부한것처럼이 sudo 명령어의허용설정으로인하여허용되지않은사용자또는악의적인의도를가진내부사용자에게 root 명령어의사용권한을허용한다면치명적인결과를초래할수도있다. sudo 명령어자체에 root 소유의 SetUID 설정이되어있으므로관리에유의해야한다. # ls -al /usr/bin/sudo ---s--x--x 2 root root 140712 1 월 21 2009 /usr/bin/sudo 시스템보안측면에서가능하다면 sudo 명령어의 SetUID 설정을제거하거나아예 sudo 명령어파일을삭제하여사용하지못하도록하는것이옳다고생각한다. (01) "rm -f /usr/bin/sudo" 를실행하여명령어삭제이 sudo 명령어를이용하면편리성과효율성이크지만, 위험성이보다더크기때문에꼭필요한경우가아니라면영구히삭제하는것이좋다. (02) "chmod 100 /usr/bin/sudo" 를실행하여 sudo 설정되어있던 SetUID 를제거하고, root 만실행가능하도록설정한다. (03) "chattr +i /usr/bin/sudo" 를실행하여 sudo 파일이변경되지못하도록설정한다. 이렇게하면 root 계정도 sudo 파일을변경하지못하므로해킹의위험으로부터보호할수있다. http://cafe.naver.com/linuxlog krintiz@naver.com