The very quick quide to sudo. This guide is for end users.
Sudo is configured by root to allow a user to run a command as root. If a user is granted all sudo privileges, then the user can do anything. Sudo eliminates password hassles, because the user will only need to know their own passoword.
To become root, a user would type:
$ sudo su - root
The user would be prompted for their own password.
A user can list their sudo privileges with:
$ sudo -l
Users will often be granted sudo for specific commands - such as starting and stopping a service or becoming another user. In this case, the user could (for example) start or stop a web server without needing the root password.
Application software may be installed as user appowner with group appgroup. The application files will typically be group/world read so there is limited ability to accidentally delete the files. There will typically be other users with group appgroup, so the users can do most tasks with their own account. There will be times , for example application patching, when a user will need to become the application owner. The application owner password could be shared. Alternatively, users could be granted sudo permission to become the application owner.
Sudo typically is configured to log sudo access. Sometimes this is used as a security/auditing feature. When configured to write to syslog, an entry will look like:
Jun 7 10:05:22 host001 sudo: usera : TTY=pts/1 ; PWD=/home/usera ; USER=root ; COMMAND=/usr/bin/su - oracle
Be careful when relying on these logs, as the security depends on the correct functioning of the commands that are run under sudo. For example, allowing "sudo vi /etc/hosts" will allow the user to spawn a shell as root and this will not be logged.
Alternatives to sudo are using setuid and setgid (which have significant gotchas). Solaris has Role Based Access Control, which provides more granular privileges.
Wednesday, June 07, 2006
Saturday, May 27, 2006
Search Engine Optimization
SE-Tools has some tools for search engine optimization, including checking if your site is listed in the search engines.
Wednesday, May 24, 2006
Commands To Monitor NFS
Commands for monitoring NFS performance.
$ netstat -s -p tcp
$ nfsstat -c
$ nfsstat -m
/u001 from nas002:/client9_u001 (Addr 10.1.22.201)
Flags: vers=3,proto=tcp,auth=unix,hard,intr,link,symlink,devs,rsize=32768,wsize=32768,retrans=5
All: srtt= 0 ( 0ms), dev= 0 ( 0ms), cur= 0 ( 0ms)
/apps from nas002:/client9_apps (Addr 10.1.22.201)
Flags: vers=3,proto=tcp,auth=unix,hard,intr,link,symlink,devs,rsize=32768,wsize=32768,retrans=5
All: srtt= 0 ( 0ms), dev= 0 ( 0ms), cur= 0 ( 0ms)
$ rpcinfo
program version netid address service owner
100000 4 ticots client9.rpc rpcbind superuser
100000 3 ticots client9.rpc rpcbind superuser
100000 4 ticotsord client9.rpc rpcbind superuser
100000 3 ticotsord client9.rpc rpcbind superuser
100000 4 ticlts client9.rpc rpcbind superuser
100000 3 ticlts client9.rpc rpcbind superuser
100000 4 tcp 0.0.0.0.0.111 rpcbind superuser
100000 3 tcp 0.0.0.0.0.111 rpcbind superuser
100000 2 tcp 0.0.0.0.0.111 rpcbind superuser
100000 4 udp 0.0.0.0.0.111 rpcbind superuser
100000 3 udp 0.0.0.0.0.111 rpcbind superuser
100000 2 udp 0.0.0.0.0.111 rpcbind superuser
100024 1 tcp 0.0.0.0.192.0 status superuser
100024 1 udp 0.0.0.0.192.1 status superuser
100021 1 tcp 0.0.0.0.192.1 nlockmgr superuser
100021 1 udp 0.0.0.0.192.2 nlockmgr superuser
100021 3 tcp 0.0.0.0.192.2 nlockmgr superuser
100021 3 udp 0.0.0.0.192.3 nlockmgr superuser
100021 4 tcp 0.0.0.0.192.3 nlockmgr superuser
100021 4 udp 0.0.0.0.192.4 nlockmgr superuser
100020 1 udp 0.0.0.0.15.205 llockmgr superuser
100020 1 tcp 0.0.0.0.15.205 llockmgr superuser
100021 2 tcp 0.0.0.0.192.4 nlockmgr superuser
805306352 1 tcp 0.0.0.0.2.151 - superuser
Not NFS specific:
$ netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 4136 loopback localhost 74916346 0 74916352 0 0
lan902 1500 10.1.22.0 client9nas 625727357 0 628752686 0 0
lan901 1500 10.1.18.0 client9afe 835324548 0 538488630 0 0
lan900 1500 10.1.20.0 client9adm 12442786 0 17658172 0 0
$ netstat -s -p tcp
$ nfsstat -c
$ nfsstat -m
/u001 from nas002:/client9_u001 (Addr 10.1.22.201)
Flags: vers=3,proto=tcp,auth=unix,hard,intr,link,symlink,devs,rsize=32768,wsize=32768,retrans=5
All: srtt= 0 ( 0ms), dev= 0 ( 0ms), cur= 0 ( 0ms)
/apps from nas002:/client9_apps (Addr 10.1.22.201)
Flags: vers=3,proto=tcp,auth=unix,hard,intr,link,symlink,devs,rsize=32768,wsize=32768,retrans=5
All: srtt= 0 ( 0ms), dev= 0 ( 0ms), cur= 0 ( 0ms)
$ rpcinfo
program version netid address service owner
100000 4 ticots client9.rpc rpcbind superuser
100000 3 ticots client9.rpc rpcbind superuser
100000 4 ticotsord client9.rpc rpcbind superuser
100000 3 ticotsord client9.rpc rpcbind superuser
100000 4 ticlts client9.rpc rpcbind superuser
100000 3 ticlts client9.rpc rpcbind superuser
100000 4 tcp 0.0.0.0.0.111 rpcbind superuser
100000 3 tcp 0.0.0.0.0.111 rpcbind superuser
100000 2 tcp 0.0.0.0.0.111 rpcbind superuser
100000 4 udp 0.0.0.0.0.111 rpcbind superuser
100000 3 udp 0.0.0.0.0.111 rpcbind superuser
100000 2 udp 0.0.0.0.0.111 rpcbind superuser
100024 1 tcp 0.0.0.0.192.0 status superuser
100024 1 udp 0.0.0.0.192.1 status superuser
100021 1 tcp 0.0.0.0.192.1 nlockmgr superuser
100021 1 udp 0.0.0.0.192.2 nlockmgr superuser
100021 3 tcp 0.0.0.0.192.2 nlockmgr superuser
100021 3 udp 0.0.0.0.192.3 nlockmgr superuser
100021 4 tcp 0.0.0.0.192.3 nlockmgr superuser
100021 4 udp 0.0.0.0.192.4 nlockmgr superuser
100020 1 udp 0.0.0.0.15.205 llockmgr superuser
100020 1 tcp 0.0.0.0.15.205 llockmgr superuser
100021 2 tcp 0.0.0.0.192.4 nlockmgr superuser
805306352 1 tcp 0.0.0.0.2.151 - superuser
Not NFS specific:
$ netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 4136 loopback localhost 74916346 0 74916352 0 0
lan902 1500 10.1.22.0 client9nas 625727357 0 628752686 0 0
lan901 1500 10.1.18.0 client9afe 835324548 0 538488630 0 0
lan900 1500 10.1.20.0 client9adm 12442786 0 17658172 0 0
Subscribe to:
Posts (Atom)