Thursday, February 6, 2014

Installing with yum from a text file.




To install a list of specific  packages that are installed on one server to another server .

rpm -qa > installed.txt

will create a text file with a list of all installed packages

copy installed.txt from server1 using rsync to server2, like this:

rsync installed.txt  server2:

then on server2  type

 yum -y install $(cat installed.txt)

This will now install all the packages listed in installed.txt on server2.

Tuesday, February 4, 2014

Disallowing programs through Sudo

You want to grant user cgerada root privelages to all programs except one, lets use tcpdump in this example.
ie we want to prevent cgerada from running  tcpdump,  but he must still be able to run all other commands as root using sudo. Further ,you do not want cgerada to have the ability to sudo -i
which effectively changes cgerada to the root user.

Normally with sudo you list the programs that the user is allowed to run with root privelages.
in this example you want to list and implement a program that is not allowed..

To edit the sudoers config file
type visudo  [enter]
which will bring up the sudoers file in vi ready to edit..

add the following line

under the section were the Cmnd_Alias is commented out
add the following alias

Cmnd_Alias DISALLOWED = /user/tcpdump, /bin/bash

You can separate with commas all the commands that you want to disallow.

Im also disallowing /bin/bash simply because when a user types sudo -i a new bash session is started as root. by disallowing this my user will not be able to sudo -i.

Further down in the sudoers file were you see
root   ALL=(ALL)    ALL

add the following underneath

cgerada ALL=ALL, !DISALLOWED

The !(Bang) means the opposite  ie without the !(bang) the user will have access to those programs.
by putting in a !(bang) in front the opposite is true.

save the file and exit by typing :x [enter]

Now look what happens if the user cgerada tries to run tcpdump


sudo tcpdump -n port 25
[sudo] password for cgerada: 
Sorry, user cgerada is not allowed to execute '/usr/sbin/tcpdump -n port 25' as root on server.



now look what happens if the user tries to sudo -i

sudo -i
[sudo] password for cgerada: 
Sorry, user cgerada is not allowed to execute '/bin/bash' as root on server