LFCS Admin Exam preparation guide series, main page can be found here.
This post is part of Essential Commands from the domain competency list for the exam. The full list can be found in the link above paragraph or the Linux Foundation page here.
The is one account in every Linux distribution which has access to manage and modify the entire system, this account name is root. Let us explore how we can manage and secure this account.
The first thing of all, we are not supposed to log in as root to the system using ssh, we should have no privileged account for the administrator account. We this account you can still run command which required elevated access by using sudo, using sudo at the beginning of the command will temporarily grant elevated privileges. Another option is to use su which stands for substitute user which will change over to root account until we log out or exit the session.
The good thing is that not every account have access to run commands with elevated privileges, we can control that with /etc/sudoers. We can display the content of this file by using cat /etc/sudoers, here we can see that even we are using an account which is part of sudo group we cannot read the file content, we will need to use the sudo cat /etc/sudoers to be able to access this file.
A close look at the sudoers file, and we can see who can perform all command. First, we can see root account with ALL=(ALL:ALL) ALL privileges. The first ALL means that root account can execute from any terminal session, (ALL:ALL) means that it can run as all users and all groups, the final ALL means that root user can execute any command. Feather down we can see that the admin and sudo group have assigned the same set of privileges, which mean instant of adding a particular user to this file, we can add that user to one of the group.
At the top of the sudoers file, we can see that there is a special command to modify this file – visudo, running this command together with sudo, will allow us to make changes to this file. We could add under the User privilege specification add user account we like to have access to sudo command. But as mention in the previous paragraph, it will be better to add the user to the groups listed inside the file. The command we are going to use will be sudo gpasswd -a user sudo, this command will add a user to the sudo group. We can use same command with -d to remove user from the group.
When we try to access file or command, which requires sudo, we will be present with an error message. For example, trying to display the content of the sudoers file by a regular user, the error will be – Permission denied. If the same user tries to use sudo, the error message – user is not in the sudoers file. This incident will be reported – will be displayed and write to the log files.
The steps we talk about here today are only a few of the approaches we should make to secure the root access to our Linux systems. Other things we should take care of: remove root ssh access, generate ssh-key for accessing remote session, and disable password authentication, just to mention few.
That’s all for today. Thank you for reading.