Posts Tagged ‘LOCAL’

How to add local user to admin access via /etc/sudoers with sudo su – root / Create a sudo admin group to enable users belonging to group become superuser

Friday, January 15th, 2021

sudo_logo-how-to-add-user-to-sysadmin-group

Did you had to have a local users on a server and you needed to be able to add Admins group for all system administrators, so any local user on the system that belongs to the group to be able to become root with command lets say sudo su – root / su -l root / su – root?
If so below is an example /etc/sudoers file that will allow your users belonging to a group local group sysadmins with some assigned group number

Here is how to create the sysadmins group as a starter

linux:~# groupadd -g 800 sysadmins

Lets create a new local user georgi and append the user to be a member of sysadmins group which will be our local system Administrator (superuser) access user group.

To create a user with a specific desired userid lets check in /etc/passwd and create it:

linux:~# grep :811: /etc/passwd || useradd -u 811 -g 800 -c 'Georgi hip0' -d /home/georgi -m georgi

Next lets create /etc/sudoers (if you need to copy paste content of file check here)and paste below configuration:

linux:~# mcedit /etc/sudoers

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

 

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

Cmnd_Alias PASSWD = /usr/bin/passwd [a-zA-Z][a-zA-Z0-9_-]*, \
                    !/usr/bin/passwd root

Cmnd_Alias SU_ROOT = /bin/su root, \
                     /bin/su – root, \
                     /bin/su -l root, \
                     /bin/su -p root


# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

%sysadmins            ALL            = SU_ROOT, \
                                   NOPASSWD: PASSWD

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

zabbix  ALL=(ALL) NOPASSWD:/usr/bin/grep


Save the config and give it a try now to become root with sudo su – root command

linux:~$ id
uid=811(georgi) gid=800(sysadmins) groups=800(sysadmins)
linux:~$ sudo su – root
linux~#

w00t Voila your user is with super rights ! Enjoy 🙂

 

How to do Diff (compare files) over SSH between local and remote servers on Linux

Monday, December 16th, 2019

how-to-diff-files-between-remote-servers-and-local-machines-on-linux

In system administration often we need to compare files located on a different servers, copying the files from Server A to Server B is easy to do but is time consuming as you have use some console ftp or sftp client scp or sftp to copy the files from server A to server B and then use diff command on one of the both systems.

Thanksfully there are other ways to do so by using simply one liner of diff + ssh or rsync + ssh and even for the vim lovers there is vimdiff.
In this short article I'll give few examples on quick ways to compare files between 2 Servers via SSH Protocol.

 

1.  Compare files for differences on 2 Linux servers via SSH protocol

 

Assuming you're logged on first server where certain config is located and you want to compare with a remote server via ssh.

 

 diff local-file <(ssh myServer 'cat remote-file')

 

If you're on a server and you want to compare file configurations between 2 remote servers both running ssh, generally you need something like:

 

diff <(ssh myServer1 'cat /etc/ssh/sshd_config') <(ssh myServer2 'cat /etc/ssh/sshd_config')​

 

To compare multiple files in directories with diff
 

diff <(/usr/bin/ssh user1@192.168.122.1 'ls /opt/lib/') <(/usr/bin/ssh user2@192.168.122.1 'ls /tmp/') | grep -i ">" | sed 's/> //g'

 

2. Interactively check 2 or more config files and show differences in a vim text editor style

 

vimdiff package is not installed across all Linux distributions so on paranoid Security tightened Linux environments, but on most servers should be either there or could be installed with apt / yum whatever package manager. You will need vimdiff installed only on one of the Nth servers you want to check config.

Here is how to compare 3 Linux servers, running OpenSSHD services existing files in vimdiff

vimdiff /path/to/file scp://remotehost//path/to/file scp://remotehost2//path/to/file


vimdiff-with-3-servers-comparing-sshd-config-file

Note here that the double slash – // syntax is mandatory without it vimdiff will return files. Also be aware that the files you want to check should be present on each of the server directory locations, otherwise you will end up with weird errors.

vimdiff is the Mercedes of comparison especially for VIM UNIX addicts and due to its nice coloring makes reading, the difference between server files very easy.

3. File comparison with diff or vimdiff via SSHFS mount

mkdir remote_path
sshfs user@hostname:/dir/ remote_path
diff -r local_path/file remote_path/file

4. Comparing files with diff by printing local and remote server files with diff

Most servers doesn't have sshfs by default and for servers following PCI High Security standards, there are other means to compare files on both or more hosts in a minimalistic way, here is idea how:
 

diff <(ssh remote-host-server find /var/www -printf '"%8s %P\n"') \
     <(find /var/www -printf '%8s %P\n')

5. Comparing files content on local and remote server directory with rsync

The best UNIX tool to compare mutliple files and directory across Local remote servers and a mixture of both is our lovely rsync 
together wtih SSH, ssh compes with the –-dry-run (-n) – test what rsync will do option.

To compare files over SSH protocol with rsync on local and remote server

rsync -rvnc root@10.10.10.50:/var/www/html/phpcode /var/www/html/phpcode


To compare 2 remote hosts:

rsync -rvnc root@187.50.200.73:/var/www/html/phpcode/ root@192.168.5.50:/var/www/html/phpcode 


To compare more hosts even a mixture of local and remote servers do.

rsync -rvnc root@187.50.200.73:/var/www/html/phpcode/  \
root@192.168.5.50:/var/www/html/phpcode  \
root@192.168.5.70:/var/www/html/phpcode \
./var/www/html/phpcode

The rsync options given are as so:

r=recursive,
v=verbose,
n= dry-run,
c=checksum

How to fix clamd “ERROR: LOCAL: Socket file /tmp/clamd.socket is in use by another process.”

Monday, May 23rd, 2011

One of the Qmail server installations I’m taking care of’s clamd antivirus process started loading the system heavily.
After a bit of log reading and investigation I’ve found the following error in my /var/log/clamd/current

@400000004dda1e1815cf03f4 ERROR: LOCAL: Socket file /tmp/clamd.socket is in use by another process.

I’ve noticed in my process list that actually I do have two processes clamd :

11608 ? Sl 0:05 /usr/local/sbin/clamd
11632 ? S 0:00 /usr/bin/multilog t /var/log/clamd
16013 ? Sl 0:06 /usr/local/sbin/clamd

It appeared that for some weird reason one of the clamd process was failing to connect constantly to the clam server socket /tmp/clamd.socket and each time it tried to connect and failed to connect to the socket the system gets about 5% of extra load …

Resolving the issues was a piece of cake, all I had to do is stop the clamd server delete the /tmp/clamd.socket and relaunch the clamd server.

Here is exactly the commands I issued:

debian:~# cd /service/
debian:/service# svc -a clamd
debian:/service# svc -h clamd
debian:/service# svc -d clamd
debian:/service# rm -f /tmp/clamd.socket
debian:/service# svc -u clamd

Afterwards the clamd extra load went out and in /var/log/clamd/current I can see clamd loads fine without errors, e.g.:

Listening daemon: PID: 16013
MaxQueue set to: 150
No stats for Database check - forcing reload
Reading databases from /usr/local/share/clamav
Database correctly reloaded (966822 signatures)
SelfCheck: Database status OK.
...

Howto install and configure Local DHCP Server for small LAN local network on FreeBSD

Monday, September 21st, 2009

Since some time ago, I’ve been planning to install a DHCP server to automatically assign the IP addressesof the hosts in my tiny local network.
Here is how I did it:
First I had to install:
the port isc-dhcpd31-server
Execute the commands:# cd /usr/ports/net/isc-dhcp31-server;# make install cleanFor some reason the dhcpd reason didn’t get created, so I have to issue.pw add user dhcpd;After which use vipw to change the default shell for the dhcpd user to /usr/sbin/nologin aswell as the default user home directory to /var/empty
Next I used the following dhcpd.conf file:
— SNAP —option domain-name “www.pc-freak.net”;option domain-name-servers 83.228.92.2, 83.228.92.2;default-lease-time 600;max-lease-time 7200;# Use this to enble / disable dynamic dns updates globally.ddns-update-style ad-hoc;# Use this to send dhcp log messages to a different log file (you also# have to hack syslog.conf to complete the redirection).log-facility local7;# No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology.subnet 10.152.187.0 netmask 255.255.255.0 {}subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.2 192.168.0.255; option domain-name-servers 192.168.0.1; option domain-name “www.pc-freak.net”; option routers 192.168.0.1; option broadcast-address 192.255.255.255; default-lease-time 3600; max-lease-time 7200;}# the lines below enables you to assign specific IP addresses depending on# machine’s MAC addresshost jericho { hardware ethernet 00:13:2a:33:7d:1e; fixed-address 192.168.0.2;}host noah { hardware ethernet 00:0b:e4:c9:7b:59; fixed-address 192.168.0.4;}— END —
You might need to change some of the IP addresses the conf above is configured for my local networkwhich is in the IP range 192.168.0.2 to 192.168.0.255.
The above conf file’s name servers are my ISP’s nameservers ns.bergon.net and ns1.bergon.netThe variable broadcast-address is the range in which the DHCPD servers will broadcast and eventuallyassign IP addresses.
routers variable sets your network default router in my case it’s my local gateway.
range variable is self explanatory.
subnet is the subnet in which your network is.
max-lease-time is the time interval in which a DHCP IP reassign occurs
default-lease-time the default time on which IP reassign occurs
The rest could be red in the commentaries above the variables:
To make dhcpd log in a separate file it’s also necessery to edit your /etc/syslog.confand change the line
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err; /var/log/messageswith*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local7.!*; /var/log/messages
as well as add:
local7.* /var/log/dhcpd to /etc/syslog.conf.
The above changes in syslog.conf should foce syslogd to log to /var/log/dhcpd instead of stuffing your /var/log/messages withdhcpd log output
It’s also necessary to create /var/log/dhcpd’s file:
Execute: touch /var/log/dhcpd as well as restart the syslogd
/etc/rc.d/syslogd restart .
Futhermore execute:
echo ‘dhcpd_enable=”YES”‘ >> /etc/rc.confecho ‘dhcpd_iface=”rl0″‘ >> /etc/rc.conf
The above as you probably know will schedule isc-dhcpd to start up every time your system boots.
Well you should be now having a shiny spreading dhcpd service in your local network.
Enjoy and Praise God 🙂 !
END—–

A serious kernel vulnerability allows local attackers to attain root privileges

Tuesday, February 12th, 2008

A new exploit is out vmsplice Local root exploit. All Linux users are advised to update. Debian has released a new package fixing the issue. http://www.securityfocus.com/archive/1/487876A friends of mine static informed me that the exploit Doesn’t rewt an updated CentOS. My debian system has proved vulnerable. I was pretty much surprisedwhen a friend of mine called and said hey man try logging with your user “hipo” :). I suspected something is wrongmaybe he have changed my username pass. Luckily he hasn’t although later I was not able to login :). He just testedthe new exploit below on pc-freak. Luckily I have such friends to remind me of a problems very early.I guess this exploit is going to put a lot of havoc in the Linux world. But yeash that’s life. Today Plamenkothe guitarist came home and was my guest. We have downloaded some of hi (mountain clips) and put them on DVDs.Later I drinked a coffee with arkadietz and static. They were in an euphoria because of this exploit.I advice everybody there to patch as fast as possible or expect surprises :)END—–