Parcourant les notes techniques de sécurisation d'un serveur Linux proposées par l'ANSII (Voir ce PDF),
je me suis penché sur les problématiques de configurations de sudoers.
Pour que des normes de sécurité correctes soient misent en place,
il est nécessaire que les utilisateurs ne puissent pas usurper l'identité d'autre utilisateurs.
Pour les administrateurs, cette restriction peut être mise en place au niveau des sudoers en bloquant l'accès à "su",
visudo et aux shells, les utilisateurs n'ayant besoins d'accéder qu'à une liste de commandes spécifiques.
On peut ensuite n'autoriser qu'un groupe d'administrateur bien spécifique à modifier les sudoers et placer des règles via SELinux pour réguler l'édition.
L'exemple de cas ci-dessous présente un panel complet des différentes fonctionnalités proposées par le fichier sudoers et permet de générer sa propre configuration.
# Sample /etc/sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # ## # User alias specification ## User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias WEBMASTERS = will, wendy, wim ## # Runas alias specification ## Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase ## # Host alias specification ## Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ SGI = grolsch, dandelion, black:\ ALPHA = widget, thalamus, foobar:\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules ## # Cmnd alias specification ## Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ /usr/sbin/rrestore, /usr/bin/mt Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt Cmnd_Alias REBOOT = /usr/sbin/reboot Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias RESTRICTED = /bin/vi /etc/sudoers, /bin/nano /etc/sudoers, /bin/su - root, \ /bin/su - , /usr/sbin/visudo Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ /usr/bin/chfn ## # Override built-in defaults ## Defaults syslog=auth Defaults>root !set_logname Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log ## # User specification ## # root can run anything on any machine as any user root ALL = (ALL) ALL # admin group can run anything except RESTRICTED and SHELLS commands %admin ALL = (ALL) ALL, !RESTRICTED, !SHELLS # sudoers group can only edit sudoers file %sudoers ALL = (ALL) /usr/sbin/visudo # full time sysadmins can run anything on any machine without a password FULLTIMERS ALL = NOPASSWD: ALL # part time sysadmins may run anything but need a password PARTTIMERS ALL = ALL # jack may run anything on machines in CSNETS jack CSNETS = ALL # lisa may run any command on any host in CUNETS (a class B network) lisa CUNETS = ALL # operator may run maintenance commands and anything in /usr/oper/bin/ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/ # joe may su only to operator joe ALL = /usr/bin/su operator # pete may change passwords for anyone but root on the hp snakes pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # bob may run anything on the sparc and sgi machines as any user # listed in the Runas_Alias "OP" (ie: root and operator) bob SPARC = (OP) ALL : SGI = (OP) ALL # jim may run anything on machines in the biglab netgroup jim +biglab = ALL # users in the secretaries netgroup need to help manage the printers # as well as add and remove users +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowed john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* # jen can run anything on all machines except the ones # in the "SERVERS" Host_Alias jen ALL, !SERVERS = ALL # jill can run any commands in the directory /usr/bin/, except for # those in the RESTRICTED and SHELLS aliases. jill SERVERS = /usr/bin/, !RESTRICTED, !SHELLS # steve can run any command in the directory /usr/local/op_commands/ # as user operator. steve CSNETS = (operator) /usr/local/op_commands/ # matt needs to be able to kill things on his workstation when # they get hung. matt valkyrie = KILL # users in the WEBMASTERS User_Alias (will, wendy, and wim) # may run any command as user www (which owns the web pages) # or simply su to www. WEBMASTERS www = (www) ALL, (root) /usr/bin/su www # anyone can mount/unmount a cd-rom on the machines in the CDROM alias ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM