October 2017 ~ AmarTufo-BLOG

Resetovanje administratorskih privilegija uređivanjem /etc/sudoers datoteke

Način na koji Linux upravlja korisnicima koji ga koriste je jako interesantan ali i zanimljiv. Naime, svi korisnici se nalaze u posebnoj datoteci po imenu /etc/passwd koja, osim što sadrži korisnike koji koriste Linux distribuciju, ona sadrži i njihov zadani shell, zatim nobody nalog koji nema ni home direktorij a ni svoj shell, i niz drugih bitnih informacija. O /etc/passwd datoteci vidi na ovom linku više. Administratorske privilegije se mogu izgubit na razne načine, ja sam ih izgubio kreiranjem novog korisnika po imenu 'ubuntugeek' te izbacanjem svog korisničkog naloga 'amar' iz grupe admin. U ovom članku ćete saznati kako resetovati vaše administratorske privilegije uređivanjem /etc/sudoers datoteke u Linux-u. Napomena: Ovaj članak je dio moje intenzivne pripreme za LPIC-1 certifikat.

Piše: Amar Tufo

8. Oktobar, 2017

Svaki put kada instalirate vašu omiljenu Linux distribuciju bilo to Ubuntu ili Mint, od vas se traži da kreirate vaš korisnički nalog i jedinstvenu lozinku kojom pristupate vašoj distribuciji. Vaše korisničko ime se stora u jedinstvenu datoteku po imenu /etc/passwd koja sadrži niz bitni informacija o korisniku distribucije, dok se lozinka stora u datoteku /etc/shadow. Poželjno je da s vremena na vrijeme mjenjate vaše korisničko ime, grupu kojoj korisnik pripada te lozinku radi sopstvene sigurnosti.

Međutim, treba imati na umu da ovakve korake rade isključivo iskusni Linux korisnici koji znaju da koriste i upravljaju sistemskim datotekama unutar Linux-a. Pogrešno uređivanje /etc/passwd datoteke može dovesti do toga da izgubite administratorske privilegije nad vašim korisničkim nalogom nakon čega ne možete instalirate omiljene programe, ažuriranja niti izvršiti nadogradnju vaše postojeće Linux distribucije. U tome slučaju postoji rješenje a to je uređivanje i resetovanje administratorskih privilegija u /etc/suders datoteci.

Slika 1: sudoers incident

Izvor slike: /home/amar/Desktop/slika1

Na ovoj slici vidite upravo scenario s kojim sam se susreo nakon čega mi je korisnički nalog jednostavno izgubio administratorske privilegije. Pojednostavljeno, korisnik amar više nije administrator nego obični korisnik. Kako rješiti ovaj problem? Rješenje ovog problema je izvodivo u sljedeća tri koraka:

Resetovanje Ubuntu-a te prebacivanje u root shell prompt

Slika 2: Ubuntu root shell

Izvor slike: /home/amar/Desktop/slika2

Vračanje ili resetovanje administratorskih privilegija za moje korisničko ime (amar) zahtjeva uređivanje /etc/sudoers datoteke u omiljenom tekst editoru kao root. Ja sam odabrao nano tekst editor. No, prije nego otvorim datoteku /etc/sudoers, potrebno je u root shell unjeti sljedeću komandu koja izgleda ovako:

mount -o remount, rw /

Za napomenu: Vaša distribucija je trenutno u modu read only, što znači da je moguće samo pregledati datoteke vaše distribucije ali nije moguće uređivati. Navedena komanda će root file sistem prebaciti iz read only u read and write mode. Nakon ovoga možemo otvoriti datoteku /etc/sudoers za uređivanje.

Uređivanje /etc/sudoers datoteke

Ja sam do sada iznjeo neke glavne stavke ovog članka te sam scenario koji se može desiti i dogodi veom često. Ono što nisam objasnio jeste pitanje: 'Šta je sudoers uopće?'. Kada unesete u terminal komandu man sudoers ovo je odgovor koji vam man daje.

Slika 3: Sudoers admin polica

Izvor slike: /home/amar/Desktop/slika3

Prostim jezikom, /etc/sudoers datoteka sadrži listu korisnika sa administratorski privilegijama a ona izgleda ovako.

Slika 4: Izgled /etc/sudoers datoteke

Izvor slike: /home/amar/Desktop/slika4

Jedina izmjena u ovoj datoteci je ona koja se tiće grupe %admin. Upravo u ovu grupu moramo dodati korisnika amar kako bismo mu povratili administratorske privilegije. Kod vas je naravno drugi korisnički nalog u pitanju ali su postupci isti i imati će isti efekat.

Promjena lozinke korisnika amar i dodjela u grupu admin

Obzirom kako je moj nalog amar izgubio privremeno svoje administratorkse privilegije, potrebno je dodjeliti novu lozinku kako bismo uspješno obnovili admin privilegije nad distribucijom. Lozinku mjenjamo komandom passwd. Sintaksa joj je passwd user nakon čega dobijete poruku tipa: 'Current unix password', što izgleda ovako.

Slika 5: Promjena lozinke za nalog amar

Izvor slike: /home/amar/Desktop/slika5

Nakon što promijenite lozniku vašeg korisničkog naloga, lozinka će biti sačuvana u posebnu datoteku /etc/shadow koja čuva enkriptovanu lozniku bilo kojeg Linux korisnika. Posljednji korak je dodavanje korisnika amar u grupu admin kako bismo mu povratili admin privilegije. Takav zadatak možemo izvesti sljedećom komandom:

sudo usermod -G admin amar

Naredna slika pokazuje uspješno obavljenu radnju. U osnovi, komanda usermod se koristi i za izmjenu korisničkih podataka te na kraju dodavanje korisnika u određenu grupu.

Slika 6: Dodavanje korisnika amar u grupu admin te provjera statusa

Izvor slike: /home/amar/Desktop/slika6

Kao što vidite na slici 6, amar je uspješno dodat u grupu admin čime su mu ponovo omogućene administratorske privilegije nad Ubuntu distribucijom.

Slika 7: amar je ponovo administrator

Izvor slike: /home/amar/Desktop/slika7

Zaključak:

Gubitak administratorskih privilegija nad vašom Linux distribucijom može biti uzrokovan nizom popratnih radnji na koje kao korisnik te na kraju kao administrator ne obraćate previše pažnje. U mom slučaju, ja sam izgubio admin privilegije kreiranjem novog korisnika te zamjena postojećih informacija unutar datoteke /etc/passwd što je kompromitovalo moje admin privilegije nad nalogom amar. Srećom, tri iznesena koraka su sve što je potrebno da se admin privilegije povrate korisniku kojemu su oduzete i to je rješenje ovog problema.

Na kraju, savjetujem da budete jako oprezni prilikom uređivanja konfiguracijskih datoteka (/etc/) jer ukoliko ne znate šta radite možete ugroziti stabilnost vašeg sistema te dovesti do neželjenog gubitka vaših podataka ili do goreg incidenta. Ja se nadam u svakom slučaju da vam je ovaj članak mnogo pomogao i da ste iz njega nešto i naučili. Pa ukoliko iskusite sličan incident, pošaljite mi tekstualni članak o vašem načinu na koji ste ga riješili. Toliko od mene za sada i do narednog čitanja.

LinuxLab - User management - part I -

Welcome to my second LinuxLab which is a special part of my preparation for LPIC-1. This lab was created according to Linux LPIC-1 Certification Bible where I have recently cover a several chapter including user management in Linux, file permissions, and so on. So, in this article I will focus on four assignments in order to complete this article and to demonstrate how to add a new user, creating a unique user group, setting file permissions and I will show you how to use ssh/sftp protocol in order to extract a report.txt file on your private server and etc.

Written by: Amar Tufo

4. October, 2017

On the image above you can see the tasks for LinuxLab which we have to solve in this article. I have even planed to make a YouTube tutorial for this LinuxLab but I have decided to write an article and then I shall see about YoutTube part. Let's begin!

Creating a new user!

The first part of this LinuxLab is to create a new Linux user named ubuntugeek with it's home directory and new user group named ubuntustation. There are dozens tutorials available online on how to make a new Linux user as well as new user group. But in this article you need to understand several major things when creating a new user. One in particular is the way you are gonna access the newly created user in Linux; Second is /etc/passwd file which holds all information on user including it's name, group, user id, group id, user home directory, and login shell. Now, here's my sample of /etc/passwd file.

Image 1: /etc/passwd file for user amar

Image source: /home/amar/Desktop/image1

It's very important to understand the /etc/passwd file since information stored in this file are crucial when it comes to user management in Linux as you can use this file to add user manually to your Linux distribution. For more on /etc/passwd file check this link. Here are three key notes on /etc/passwd file.

root account - this account is known as superuser and it is the most privileged account on a Linux system. It gives you the ability to administer the system by adding new accounts, changhing user passwd, examining log files, installing software and changing file permissions.

nobody account - this account is used for system services and has no shell or home directory.

the /bin account - contains the home directory of /bin with no shell assignment.

You can get the same information on the current user by typing the following command like in this sample down bellow.

grep amar /etc/passwd

Once you type your user name, the output should be as follow:

Image 2: Output of the command grep amar /etc/passwd

Image source: /home/amar/Desktop/image2

In the following table, here's an explanation of the command above to understand what these information are.

Image 3: Explanation of the grep amar /etc/passwd command

Image source: /home/amar/Desktop/image3

The last thing I wanna note here is the user password. Now, Linux store user password in a unique file named /etc/shadow. The x: character you see in the table above represents my encrypted password which is stored in /etc/shadow file. Password is basically showed in a bunch of random letters and numbers which are difficult to read but safe and encrypted. In other hands, you don't want others to know your password. Here's my sample of /etc/shadow file.

Image 4: Output of the command sudo grep amar /etc/shadow

Image source: /home/amar/Desktop/image4

Creating ubuntugeek user.

The output for your user name will be different than my which is ok. Now, we can start to make our ubuntugeek user with it's user group and home directory. The command you will see here are well tested for the purpose of this article. There are several ways to create a new Linux user and one way that I prefer is via useradd command using the following command syntax:

sudo useradd -m ubuntugeek

Once you type the following command, you should be able to see the newly created ubuntugeek user as on this image down bellow.

Image 5: Accessing newly created user ubuntugeek using su ubuntugeek command

Image source: /home/amar/Desktop/image5

One note: In order to access our ubuntugeek user, in command above I have use -m to tell the Terminal to force create ubuntugeek home directory. Without home directory, we won't be able to access ubuntugeek user neither it's data. Before we make our user group and add ubuntugeek inside it, we need to assign ubuntugeek password. We can do that using the following command:

sudo passwd ubuntugeek

The output of the following command is as follow:

Image 6: Assigning ubuntugeek password

Image source: /home/amar/Desktop/image6

The name of your user is different than my in the sample above, but it's the same syntax you should follow in order to assign your user password or change an existing password and etc.

Creating group ubuntustation.

User groups are essential part in Linux. Basically it can be described as a collection of multiple users which have default permissions on the system files and etc. Note, that groups need to be manage some how and that's where permissions comes in to play. Permissions are important part of Linux security since they allow Linux System administrator to set the permission for user as root account, groups and others. This way, I can set the permission to read, write and execute certain file or limit other users to write or modify the file, but grant them to read and execute certain file and so on. More on groups, please click the following link. Before I show you how to create ubuntustation group for our ubuntugeek user, I will show you how to view file permissions over the files or directory. The following command is used to see the file permissions.

cd Desktop
cd application
ls -l

In the command above, I have chosen application directory on Desktop which I have listed using the ls -l command. Here's the output.

Image 7: Listing file permissions on the application directory content

Image source: /home/amar/Desktop/image7

Each file has a default permission set assigned to user (root account), groups and others. This default permissions are known by characters such as rwx as shown on image7 above. What they does or mean is important to know because you will work with them a loot. In short, here is a explanation of rwx characters:

read (r) - it allows the file to be viewed or directory content to be listed.

write (w) - it allows you to modify the file or to write to the file.

execute (x) - it allows you to run the file, program or execute a script.

In the image 7 you can clearly see -rwx characters in front of main.cpp file in my application directory. In this case, main.cpp is C++ source code file on which I have set the default permission for user (amar) which is rwx, group can rw but can't execute the file, and others can execute and read the main.cpp file. Here's a command which I have used to set the main.cpp permissions:

chmod u+rwx,g+rw,o-wx main.cpp

The command used in this sample is chmod (change mod). It's this command that allow Linux System administrator to grant access on certain files and directories for user, groups and others or to take them away at will in order to protect the system or user it self. Since this is a LinuxLab, I don't have time to explain chmod and file permissions in detail but if you are interested to know more about this command which I highly recommend, then visit this link.

Finally, let's make our ubuntustation group and to complete this article. The command used to create group is groupadd. Here's the full command.

groupadd ubuntustation

Now, there's nothing special to note or add here to this command. Only thing is that our newest group has been created and we can now add our ubuntugeek user to ubuntustation group using the following command.

sudo usermod -G ubuntustation ubuntugeek

In the command above I have used the usermod command to add ubuntugeek user to ubuntustation. The Terminal command to make sure that we have added ubuntugeek to ubuntustation is the following:

Image 8: Checking that ubuntugeek user is part of ubuntustation group

Image source: /home/amar/Desktop/image8

This is it. We have successfully added our ubuntugeek to ubuntustation group and therefore completed this first part of my LinuxLab. Make sure to read entire article, comment it, share it via social media and please if you note errors while reading this article weather in text or Linux commands used in this article, please comment it down bellow so that I can fix it and update it as soon as possible. Until the next time, I see you soon in part two of my LinuxLab.