Processes
There are a number of
commands available for process management. Use the man pages to read up on
these.
ps (process status)
Try
ps – A
ps –l
ps –x
Try changing the shell
a few times e.g. sh; ksh; csh; bash
and then ps –l
Note the pid and ppid
of different processes.
kill
The command kill -9 process_pid kills a process and all its descendants.
Try killing some
processes from the previous example.
top
Display top cpu processes This provides an ongoing look at processor activity in real time. It provides information on running processes –
see class notes.
Granting users access to privileged commands
There is a substantial difference to what a root user can do compared to an ordinary user. However, it is often useful for an administrator to grant limited access to particular users to do specified tasks (that they would not normally be able to do).
Using sudo command
The sudo utility allows users defined in the /etc/sudoers file to run commands that they would not normally have access due to restrictions e.g. anything to do with creating users, groups etc.
To configure the /etc/sudoers just type visudo which mimics the vi editor and is used exclusively to modify sudo parameters. The visudo command must be run from root and requires no arguments.
Create a new user bob and place the following entry in the etc/sudoers file:
bob ALL=(ALL)
NOPASSWD: ALL
This command allows the user bob to do anything, this works as
follows:
Normally users do not have read permission to the shadow files. If
bob tries the command:
cat
/etc/shadow
he gets:
cat: /etc/shadow: Permission denied
But if he tries:
sudo cat /etc/shadow
bob can read the contents
of the shadow files.
This is
essentially giving bob root access – usually it’s more appropriate to give
users more selective privileges.
Remove or comment out the line: bob
ALL=(ALL) NOPASSWD: ALL
Grant bob the privilege of using the useradd
command as follows:
Add the entry to
the /etc/sudoers file:
bob ALL = NOPASSWD: /usr/sbin/useradd
Now bob logs in and tries to create a user:
/usr/sbin/useradd vin
useradd: unable to lock password file
Now try:
sudo /usr/sbin/useradd vin
Check the new user has been created by:
cat /etc/passwd
Exercise 1
Configure the /etc/sudoers
file to enable a user e.g. jane to change other users’ passwords.
Note: The locations of commands (such as useradd) may be
located in different directories depending on the Linux distribution. Before
configuring the /etc/sudoers file it’s a good idea to find the correct PATH for all the relevant commands.
Groups of Users
It is possible to grant privileges to groups of users who are
differentiated from normal users by placing a % at the beginning. For example if there exists a group called
myGroup they could all be granted permission to create users by adding the
following entry to /etc/sudoers:
%myGroup ALL = NOPASSWD: /usr/sbin/useradd
It is also possible to have
combinations of groups and individual users specified in the file. For example,
the following example allows com3 group and user bob permission to create new
users.
%com3,
bob ALL = NOPASSWD: /usr/sbin/useradd
Exercise 2
Create a new group students
and two users jane and mary (make jane and mary
members of the students group). Grant members of the students
group permission to change passwords of other users and to be able to create
new users.
It is not necessarily a good idea
to grant a user permission to change passwords – it’s possible this user could
change root’s password and subsequently be able to log on as root. The following entry enables bob to change all
passwords except root.
bob ALL = NOPASSWD:
/usr/bin/passwd, !/usr/bin/paswd *root*
Exercise 3
Grant members of the students
group and bob permission to change passwords of all other users except
root.
No comments:
Post a Comment