 In some of the previous demos we've seen on permissions, we've seen the use of sudo where when a user doesn't have permission to perform some command, if they proceed that command with the sudo special command, then they can elevate their permissions to the root user and therefore execute the command. Of course not any user can do this. We're going to look at how sudo works and how we can set up so particular users on a Linux system can use sudo to execute selected commands. As a reminder how sudo works, I'm currently logged in as the instructor user. If I want to access a particular file which I know from past use is not accessible, that is I cannot access the directory home Tanaruck because I do not have permissions to read that directory. If I proceed the command with sudo with the idea of elevating my permissions to the root user who does have access to that directory, I should be able to see the contents. My password, Gino, and in this case because the instructor user has been set up to have these sudo permissions, they can view the contents of the home Tanaruck directory. But which users can use sudo? By default when you install Ubuntu Linux operating system, the first user you create is in what's called the admin group and the users in the admin group can use sudo to escalate their privileges from the normal user to a root user and perform any command and access any file on the system. If you have more than just the initial user on the system, then you need to configure the system to allow those other users to use sudo and we'll show you how. In this system, the instructor user was the first user created and can use sudo. If we switch to a different user, in this case Smith, and I know Smith's password, now I'm logged in as Smith, if we try and view the home Tanaruck directory, we have permission denied, we cannot see the contents. If we try to use sudo to view the directory, sudo prompts for the password for Smith and reports an error saying that the user Smith is not in the sudoers file, not in the special file that configures which users can use sudo and which cannot, and this is a security incident that should be reported. So we need to look at that sudoers file to see how to set up the system to allow different users to use sudo. I'll exit back to the instructor user and let's open the sudoers file and it's in the ETC directory. To open it, you need to be a root user and therefore use sudo and it's a text file but we shouldn't open it with a normal text editor. The problem is that if we make a mistake in this file, we use the wrong syntax or provide the wrong command, then we can lock users out of the system and potentially lock all users out of the system, that is we cannot execute sudo. So we use a special program vise sudo which opens a text editor but once you edit the sudoers file, it does a check whether it's correct or not. Use minus F option to specify the file to open and the file is in the slash ETC directory and called sudoers. This opens this sudoers file, the configuration file for sudo in default text editor, editor in my case nano. The syntax and the options that are available in this configuration file are quite complex and I'm not going to try to explain how they work. I'll just show some very basic configuration directives that are in the default file. Every line starting with a hash is just a comment, the first line that we'll explain is this one starting with root. The root user on the system should be able to execute any command and this command says that the root user, if they use sudo, then on all machines they can execute all commands as any user or all users available, that is the root user can use sudo to do anything. So if you logged in as the root user you can proceed any command with sudo and you'll have permissions to execute that command. The next line of interest is this percent sudo line. The percent indicates it's referring to a group. In the previous case the privilege specification was set for a particular user, the root user. When we use a percent we refer to a group on the system. So anyone within the sudo group has the capability to execute all commands on the system, again in the same privileges as the root user. So if you are the root user you can execute any command using sudo and if you're in the sudo group you can also execute any command using sudo. This include directory directive indicates that we can add extra configuration directories either in the file that we're editing now, the sudoers file, or in separate files under the sudoers.d directory. I'll show you an example of that shortly. The last directive here is similar to the sudo group directive. Anyone within the admin group can execute all commands. So if you're in the admin group or the sudo group or you are the root user you can use sudo to execute any commands on this Ubuntu Linux system and by default when you install Ubuntu the first user you create is added to the admin group. Let's check that. So exit, control X and if we look in the admin group, which is in the groups and group members are in the ETC group file, I'll search for admin, we see the admin group contains the instructor user. So that's why the instructor user on this system can execute any commands using sudo. Let's add a user to the admin group. To add a user to a group, again we need to use sudo, I'm currently logged in as the instructor user, add user, the user name, let's add Mr. Smith to the admin group and the group name. So user Smith was added to the admin group, let's just check that. So now Smith is in the admin group and now let's switch to the user Smith and to the password. Previously we saw that Smith could not view the contents of home slash Tanaruck using sudo. Let's try again sudo ls slash home slash Tanaruck prompts for Smith's password. And now user Smith can view the contents of Tanaruck's directory, that is they can execute the command using sudo because they've been added to the admin group. So quite simply if you want someone to be able to use sudo to gain root privileges on your system, add them to the admin group. I can remove a user from the admin group using the dell user command so that Smith is no longer in the admin group. Let's just check that, the admin group is back to the original setup where only the instructor user is in it. So the basics of sudo so far is that if you're the root user in the sudo group or in the admin group, you can execute any command on the system by proceeding it with sudo and you effectively elevate yourself to the root user, the privileges of the root user. The configuration file that specifies which groups can configure which commands is in the ETC directory and it's called sudoers. In some cases, we don't want to allow a user to be able to elevate their privileges to the root user and do anything on the system. We would like to in some cases allow some users just to run some privilege commands. For example, if we want to set up the system so that some, the student users can execute networking commands, but not view the directories of others, not add users, not do all the other management of the system, then we can configure sudo to do that. I've already created an example, extra set of configuration directories for sudo and I'll show you that using first before I show you the example. Let's switch to a user, user nappat, end of the password. A number of networking commands on the system by default require root privileges. For example, to execute TCP dump, to capture traffic on the computer, sorry TCP dump, minus I, ETH0, user nappat does not have permission to capture on the ETH0, the ethernet interface. You need to be a root user to run TCP dump and can nappat execute TCP dump using sudo, let's try, sudo prompts for his password and gives the error message saying he's not configured or in the sudo as file and is not allowed to run this command as sudo. How can we configure so that individual users or a select group of users can run a selection of commands as sudo? Let's open the file that I've already created to configure, to allow some users to run networking commands. I've created it in this sudoers directory and I've simply called the file student. So I'm going to open this file which is a set of sudo directives using the vice sudo command and it's important not to use a normal text editor here. Again if you make mistakes in the syntax then you may lock users out of the system and in fact on two occasions I've locked out all users from a system and had to go through special steps to recover the root password. Very inconvenient. I've made a mistake, I need to switch back to the instructor user. Of course nappat is not allowed to execute this command as sudo, I need to exit and I'm now back as the instructor user who can execute commands as sudo. In this student file which gives some extra sudo configuration directives. I want to allow a set of users, in particular the users in the net admin group to run a set of commands as sudo and those commands are related to networking. So let's just look at the line that specifies what group can execute what commands. This line highlighted indicates that anyone in the net admin group can run the commands specified by net all. Net all is an alias and you will see in the preceding lines I've created this alias. So any commands that match within the alias net all can be executed by users in the net admin group. What is in net all we see the preceding line I've created a command alias where net all equals or includes all those commands in the network alias, in the capture alias, in the aircrack alias and a number of other aliases. And in fact those aliases are defined in the preceding lines. We see that the capture alias is defined here. The capture alias refers to a specific command tcp dump and we need to give the full path here. So capture will be replaced with slash user slash sbin slash tcp dump which is the location of the tcp dump program. Another network includes the command ifconfig, ifdown and a number of other interface configuration commands. WLAN includes commands for configuring wireless interface in Linux, iwconfig for example. So I've just created these aliases just to separate out the set of commands. You don't need to use them alternatively instead of using net all I could have listed all the individual commands here on one line where I separate each command by a comma. So again any user in the net admin group can execute the commands specified in the set of aliases under net all, the network, capture, aircrack, wlan and so on which is really just a list of the actual commands that I want to allow that user to execute. So you can add other commands, you can set up different aliases, different groups to specify what selection of users can execute which commands as the root user. Let's see how it works. I'll control X, I know don't need to change this. Let's look at the net admin group, there's currently no user in the net admin group. Let's add the user, napart to the net admin group, previously the user napart could not execute TCP dump even using sudo, they didn't have the permissions. Now we add napart to the net admin group, let's just check and now let's switch to user napart, we're now logged in as napart and let's use sudo to execute TCP dump. Sudo prompts for his password, I've made a mistake in the command, I use minus eth0 instead of just eth0, let's try again and now user napart can execute TCP dump, TCP dump is running and capturing packets. So we can set any user to execute the networking commands listed in that sudo configuration file if they're in the net admin group. And let's just check finally whether napart can execute other commands as sudo, ls the directory of home of user tanneruck, sudo ls slash home slash tanneruck, not allowed to execute this command. So because the command ls is not in that list that I set up in the configuration file, user napart is not allowed to execute that as sudo, he can only execute the commands that I specified. So that's a way of allowing specific users to execute a selection of commands on the system depending on what you want them to do. Of course it's up to the manager of the system to select the commands and consider whether the selection of commands meets the security requirements of the system. In summary, the configuration of sudo is set up in the slash etc slash sudoers file, although other files can be added under the slash etc slash sudoers dot d directory. They specify which users and which group members can execute which commands. And if a user has those privileges then they can proceed a command with sudo to escalate their privileges so that they can execute a command that they would normally not be able to.