/etc/sudoersfile opens. The file contains four commented lines, acting asplaceholders for alias definitions. 4.Enter the aliases under the appropriate headings. For example, if you re creating a Cmnd_Alias, place it under the comment that says # Cmnd_ Alias specifications. See the next section, Defining the Alias, for more information aboutthe format of an alias. 5.When you re finished adding aliases, save thefile and exit the editor. When you save the file edits, you may get anerror message in the terminal window: Warning: undeclared Host_Alias NAME referenced near line 12>>>sudoers file: syntax error, line11<<< What now? The sudoerserror messages aren t very help- ful. Odds are, you made a typing error, so enteran eto reopen and edit the file and then checkyour entry. sudo is particularly fussy aboutcapitalization; the first letter of the alias typeand the word alias need to be capitalized. Defining the AliasBefore you can add an alias, you need to decide whatthe alias will contain. This takes a bit of thought, butas you think about your users and their roles in theworkplace, some logical divisions of privileges willprobably emerge. Model the sudo aliases against the real-worldroles that your users take on and the real- world privileges that the company structuremight impose. A management hierarchymight translate into a hierarchy of user aliasesand privileges. Here s the basic format of an alias definition: Alias_Type ALIASNAME = member one, membertwoNote that capitalization is important in the sudoersfile. Alias names may contain only uppercase letters, numbers, and underscores (and must begin with a let- ter). The words User_Alias, Runas_Alias, Host_Alias, and Cmnd_Aliasmust all be captalized as shown inthis sentence. Creating a User_AliasTo create a User_Aliasnamed ACCTGconsisting ofFreddie, Franklin, and Georgette, add the followingcode to the /etc/sudoersfile: User_Alias ACCTG = freddie, franklin, georgetteTo create an alias consisting of the members ofanother group but excluding a certain member, youcan define a group as follows: User_Alias MGMT = ACCTG, ! georgetteThe !excludes Georgette from the MGMTgroup. You can use the !to exclude the rights to cer- tain privileges from certain users, but don tconsider that to be absolute security. Wily userscan find their way around a lack of privileges ifthey really want to. Creating a Runas_AliasThe command to create a Runas_Aliasis similar tothe command to create a User_Alias, but you canalso specify members by their user numbers: Runas_Alias OPERATORS = #1, murphy, rachel, bernieA single user can belong to many aliases the user gains the privileges of each group. In a smallcompany, the timesaving benefits might not beimmediately obvious, but if you re managing the39_
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.

Runas_Alias: Using a Runas_Aliasallows a userto borrow the privileges of another user (typi- cally, root). A Runas_Aliasdefinition can includeuser names, UIDs, user groups, and otherRunas_Aliases. Host_Alias: Use a Host_Aliasto manage groupsof computers if you manage a large network. Assigning a Host_Aliasto a group of Web serversallows you to apply sudo rules to all the systemsin the group. A Host_Aliascan reference hostnames, IP addresses, netmasks, or other hostaliases. Cmnd_Alias: A command alias groups similarcommands (similar in their danger levels). Grouping commands like rm, mkfs, and parted(potentially dangerous commands) and limitingaccess to them can help decrease the likelihoodthat you ll be restoring from backup anytimesoon. A Cmnd_Aliascan refer to commandnames, directories, and other command aliases. Adding Aliases to the sudoConfiguration Filesudo aliases are defined in the /etc/sudoersfile. Adding an alias is quick and simple: 1.Open the terminal window and give yourselfsuperuser privileges with the su -command. 2.Tell the visudocommand (which you use in a moment) which editor you want to use (thedefault editor is vi, and we d rather not gothere). For example, if you want to use kedit, use thefollowing command: # export EDITOR=keditYou can use kate, emacs, or another editor if youprefer. 3.To edit the /etc/sudoersfile, enter the follow- ing command: # visudoInstalling sudoTo find out if sudo is installed on your computer, lookfor a file called /etc/sudoers. If it s not there, installsudo from your Linux distribution disc. Open a termi- nal window and give yourself superuser privilegeswith the sucommand. Mount the distribution disk, move into the directory holding the RPM packages, and install sudo with the following command: # rpm -Uhv sudo-version.rpm Adding Up the AliasesThe sudoersfile holds sudo configuration informa- tion; program permissions and sudo aliases aredefined in /etc/sudoers. An alias(a sudo alias any- way) is a name that you give to a group of one ormore users, hosts, commands, or run as names. The idea behind an alias is that you can assign(or deny) privileges to the named group ratherthan to each individual group member, makingsetup and maintenance much easier. For exam- ple, you may have a small group of users whoperform system maintenance tasks (such asbackup and restore operations). Rather thanassigning privileges to each individual operator, create an operator alias (a group that includesall your operators) and assign backup andrestore privileges to the alias. That way, if youhire new operators, you simply add them to theoperator alias, and they have all the privilegesthey need. Or, if you switch to a differentbackup program, you can change the privilegesassigned to the operator group rather than toeach individual. By modifying the sudoersfile, you can create fourkinds of aliases: User_Alias: A User_Aliascreates a group ofusers. A User_Aliasdefinition can contain acombination of groups, individual users, andother user aliases.
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.

loan processing on books and mortgage

However, in Hong Kong, Canada, and debt equity home loans management States, one can be charged per minute, for incoming as well as outgoing calls.

32sudo PseudonymsEvery system administrator walks a thin tightrope. On one hand, youmust secure your system against both accidental and intentionaldamage. On the other hand, you can t tighten security to the pointwhere average users can t get their jobs done. In a traditional Linux (orUNIX) system, privileges are granted to the superuser. If you need a privi- lege, you impersonate the superuser (with the sucommand). The prob- lem with this approach is that you gain allprivileges as soon as you knowthe superuser password. Give yourself enough privileges to mount a CD, and you ve also gained enough privileges to delete every file on yourcomputer. sudo (see Technique 31) can help by handing out privileges tospecific users and programs. But if you have a medium- to large-sized net- work, managing sudo privileges can become a time consuming chore. Assigning privileges with sudo aliases can help make quick work of thetask. A sudo alias is an easy way to refer to a group of users, hosts, orcommands when handing out privileges that are normally given to thesuperuser. The elements of the superuser privileges can be assigned indi- vidually, so the administrator doesn t have to give out the rootpassword. Only the privileges that a user really needs are given out. With sudo aliases, you can create User_Aliasgroups to assign privilegesto groups of users. If the group (or department) gains new users, just addthose new users to the User_Alias, and they automatically have all theprivileges shared by that group. No one gets the superuser password, soyou don t need to worry about runaway superuser privileges. Host aliases allow you to control groups of computers with one set ofprivilege assignments. You can quickly combine user aliases and hostaliases to grant access to machine resources to the users that really needthe resources, but still restrict the superuser privileges that might pose asecurity threat to the system. In this technique, we show you how to save time by using sudo s aliasesto assign privileges to groups. When you become a sudo superuser, youreally start to save time. In this technique, we show you how to use sudoaliases to save time assigning privileges. And your system will be a saferplace for it. TechniqueSave Time By Creating a User_Aliastomanage group privileges Using a Host_Aliastoassign resource privi- leges to groups Creating a Cmnd_Aliasto keep dangerous com- mands under control Sharing superuser com- mands without sharingthe password39_
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

see Technique 13) to maintain a complete his- tory of all the privileges you ve ever grantedon your entire network. Of course, you can also list multiple users in thesame sudoersfile: # file: /etc/sudoersfreddie bastille = /bin/mount/dev/cdrom, /bin/umount /dev/cdromfranklin,tex versaille = /usr/bin/reboot, /sbin/dump, /sbin/restoreThe third line grants two users (franklinand tex) the right to reboot and the rights to backup andrestore, but only on a host named versaille. You can see the pattern: Each entry starts with a username (or a list of user names), a host name (or a listof host names), an equals sign, and then a command(or list of commands). Each entry grants a set of privi- leges to one or more users on one or more hosts. The manpages for sudo(and sudoers) statethat you must use the visudocommandto edit the /etc/sudoersfile. That s notreally true; you can use any editor youlike. visudodoes some extra error check- ing whenever you save your file, but wefind the error messages to be more con- fusing than helpful. can simply slip a bogus program (with thesame name) into their search path and gainprivileges that you don t want them to have. The first time you edit the /etc/sudoersfile, you ll notice that it s already filled in with sam- ple entries. Don t even look at them. They retoo confusing. Just add the one or two linesthat you need and ignore the samples. Freddie can now mount CDs, but he can t unmountthem. That s easy to fix; just add the umountcom- mand to the list of privileges: # file: /etc/sudoersfreddie bastille = /bin/mount, /bin/ umountNow freddiecan mount and unmount file systems. But what if you want freddie to mount and unmountonly CDs, not other file systems? That s easy, too: # file: /etc/sudoersfreddie bastille = /bin/mount /dev/cdrom, /bin/umount /dev/cdromSave time by including host names in thesudoersfile, maintaining a single master copyof the file, and copying it to each machine onyour network. That way, you don t have to cre- ate a separate sudoersfile for each machine. In fact, you can store the sudoersfile in CVS38_
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.

reason that you might want to impersonateanother user is to gain privileges to a particularpiece of software, but you may not need all the privi- leges of the superuser to accomplish what you needto do. If you give yourself only the privileges thatyou need instead of giving yourself the power toaccidentally destroy your system, you ll save your- self a lot of grief and wasted time. To see how impersonating a user without gaining allthe powers of the superuser works, take MySQL asan example. When you install a MySQL database, you usually create a new user account for the MySQLadministrator. The MySQL administrator is not a realperson (in most cases), it s just a name for a set ofprivileges. To fire up your MySQL database, youmust becomethe MySQL administrator for a while: [freddie@bastille /]$ su mysql[mysql@bastille /]$ iduid = 301(mysql) gid=301(mysql) groups=301(mysql) [mysql@bastille /]$ mysqld_safe & [mysql@bastille /]$ exitNotice the hyphen in this command, which tells suto invoke the login scripts for user mysql. When yourun suwithout a hyphen, you re impersonatinganother user. When you run suwitha hyphen, you reimpersonating another user andinheriting the envi- ronment variables (and shell aliases and functions) that belong to that user. The most common problem you run into (if you forget the hyphen) is that your $PATHenvironment variable is wrong. For example, ifyou forget the hyphen when you sumysql, it s pretty unlikely that the mysqld_safecom- mand will be in your $PATHsearch path: mysqld_safeis on mysql s search path. Inother words, su -is a complete impersonation. Limiting Privileges with sudoWhat s wrong with the sucommand? Running a shellas the superuser is sort of like hunting squirrels witha bazooka; sure, you can hunt squirrels that way, butit s safer to use a smaller armament. If you re run- ning a shell while you have superuser privileges, it sjust too easy to make a typing mistake that deletesimportant information. (Trust us, we ve done that afew too many times.) One way to avoid shooting yourself in the foot is touse sudoinstead of su. From a user s point of view, sudois very similar to su: Each command starts anew program that holds elevated privileges. sugivesyou all privileges, but sudogives you only the privi- leges granted by an administrator. In other words, sudogives you a way to grant partialprivileges tothose who need them, without giving them thewhole bazooka. Really, you need to suonly when you configure sudo. The whole point of using sudo(instead of su) is to save yourself time by avoiding disasters. Ifyou decide to use suin your normal course ofwork, be sure to read Techniques 49 and 50(backup and recovery). sudois controlled by a configuration file named/etc/sudoers. The layout of a sudoersfile can be abit confusing at first, but don t be intimidated. Here sa simple /etc/sudoersfile: # file: /etc/sudoersfreddie bastille = /bin/mountThe first line is a comment (anything that follows a # is treated as a comment). The second line grants userfreddiethe right to run the /bin/mountcommand aslong as he s logged into a computer named bastille. Now if freddiewants to mount a file system, he llhave to ask sudoto do the work for him: [freddie@bastille /]$ sudo mount/dev/cdrom /mnt/cdrom[freddie@bastille /]$ When you add entries to the sudoersfile, besure to include the complete pathname toeach command. If you don t, dastardly users38_
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

Overwrite the /etc/motdfile as follows: [root@bastille /]# echo Bastille willbe down this evening for an upgrade > /etc/motd[root@bastille /]# 5.Now here s the most important part: Exit theprivileged shell, forfeiting your new privileges: [root@bastille /]# exit[freddie@bastille /]$ Do-it-yourself identity checkingThe bash shell is just trying to be helpful when it changesyour prompt from $to #(and back again), but if you mod- ify your prompt, you can t rely on this cue. For a moredefinitive hint, the idcommand is your answer. idprintsout your current identity: [freddie@bastille /]$ iduid=501(freddie) gid=501(freddie) groups=501(freddie) Notice that idprinted your user ID (and name) and a list ofgroups to which you belong (in this case, a single groupnamed freddie). Now give yourself superuser privilegesand try the idcommand again: [freddie@bastille /]$ suPassword: [root@bastille /]# iduid=0(root) gid=0(root) groups= 0(root),1(bin), … [root@bastille /]# exit[freddie@bastille /]$ iduid=501(freddie) gid=501(freddie) groups=501(freddie) You see that the sucommand changes more than just yourprivileges: It changes your identity as well. Pretending to Be Other UsersBecause sugives you a way to become the superuser, you may be thinking that sustands for superuser. Infact, sustands for substitute user:You can imper- sonate anyuser with su(as long as you know theright password). Sometimes, you need to do those things becauseusers come and go, passwords are forgotten, andfiles need changing. Save yourself a lot of time bylimiting your powers and minimizing the damagethat you can do. Save the power for when you reallyneed it. Gaining Superuser PrivilegesGiven all the exciting and hazardous things that asuperuser can do, how do you become one? Simple: Just type suat the command prompt. Okay, theprocess is not quite as simple as that you alsohave to know the superuser s password. Here s a short example. Say that you want to modifythe /etc/motdfile. (The content of /etc/motdis dis- played whenever you log in to your system motdstands for message of the day.) Customizing /etc/ motdis a quick way to alert your users that some- thing important is happening today. On most sys- tems, /etc/motdcan be modified only by thesuperuser, as described in the following steps: 1.Log in to your system as a normal (that is, non- superuser) user. 2.Type the sucommand at the prompt: [freddie@bastille /]$ susurequests the superuser password: Password: 3.Enter the password. If you ve entered the correct password, theprompt changes from $to #to remind youthat you hold elevated privileges. See the Do- it-yourself identity checking sidebar for detailson an even better way to see your privilegesat the prompt. [root@bastille /]# At this point, sustarts a new, highly privilegedshell for you.
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

31Gaining PrivilegesEvery Linux system has a user who thinks he s better than everyoneelse; a user who wants more privileges than anybody else has; auser who can do things others can t do. We call him the superuser, but his real name is root. This technique shows you how to gain and use superuser privilegessafely from the comfort of your desk no phone booths or funny tightsrequired. Limiting the power of the superuser is important if you want tokeep your system safe and secure. You ll save a lot of time if you don thave to recover from disasters caused by (accidentally) flexing too manysuperuser muscles. Sometimes you needsuperuser privileges to do sys- tem administrator work like configuration, user management, and privi- lege management. But we show how to limit your exposure by gainingonly the privileges that you need and only when you need them. Feeling the PowerIn most systems, a single user, named root, holds superuser privileges. (You can think of user rootas synonymous with superuser.) The superusercan do anything he wants on your system, such as the following operations: Modify (or delete) any file. Change any password. Use any device. Create new user accounts. Delete old user accounts. Lock you out of your system. Sounds like someone you want to keep out of your system, doesn t it? TechniqueSave Time By Knowing the power of thesuperuser Gaining extra privilegeswith the sucommand Limiting privileges withsudo38_
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.

kedit window opens, displaying the contentsof /etc/group. 3.Find the line in the file that starts with wheel. 4.Add a comma, followed by your username, tothe line. wheel:x:10:root,username5.Save the file and exit. 6.Enter the following command: $ kedit /etc/pam.d/system-auth7.If you re using Fedora, find the lines that looklike this: # Uncomment the following line to \ implicitly trust users in the \ wheel group. #auth sufficient \ /lib/security/$ISA/pam_wheel.so \ trust use_uidIf you re using Mandrake, you won t have the lastline included in your system-authfile. You ll need to add the following line as the sec- ond rule in your system-authfile: auth sufficient \ /lib/security/$ISA/pam_wheel.so \ trust use_uid8.If you re using Fedora, remove the #from thebeginning of the auth rule. The result should look like this: # Uncomment the following line to \ implicitly trust users in the \ wheel group. auth sufficient \ /lib/security/$ISA/pam_wheel.so \ trust use_uidNow, when you use the sucommand, PAM recog- nizes that you are a member of the wheelgroup anddoesn t ask for the rootpassword. If you decide to allow PAM to skip passwordprompts and you leave your desktop logged inand unattended, you may be asking for trouble. The pam_cracklibmodule works only withthe password rule type. It checks the passwordagainst a dictionary to see if the new passwordentered is guessable. If you set pam_cracklibto required, only complex, difficult-to-crackpasswords will be accepted. Skipping a Password with PAMYou can tighten security fast with PAM, but you canalso relax security standards to save time in certaincases. On a system that s not holding data that is life- and-death important, and that s not an integral linkin a network, you can make PAM skip the request fora rootpassword when you need superuser privilegesat the command line. The pam_wheel.somodule returns a positive resultwhenever members of the wheelgroup try to authen- ticate themselves. That means that if you re a mem- ber of the group named wheel, PAM assumes thatyou ve already authenticated yourself and lets youcontinue without a password. What s the significanceof the name wheel? We can t figure it out either. Think twice before disabling rootpasswords. Never having to slow down to enter a pass- word is a definite timesaver, but it s about theloosest security you can have. The following example works for Fedora orMandrake. The same technique will work forSuSE, but because SuSE doesn t use a com- mon configuration file (like system-auth), youneed to decide for yourself which files youwant to modify. To change the PAM configuration files to allowsuperuser access without a password, follow thesesteps: 1.Open your terminal window and give yourselfsuperuser privileges. 2.Enter the following command: # kedit /etc/group file37_
Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

a few modules use the system-authconfiguration file. The system-authfile holdscommon configuration information in one file. Each file that needs the common informationjust refers to the system-authfile instead ofduplicating that information. When the authentication rules found in the system-authfile are satisfied, PAM continues tothe third authentication rule (also required). Line 4: The third auth rule requires a positiveresult from the pam_nologin.somodule. Thepam_nologin.somodule checks for the existenceof the /etc/nologinfile. If the /etc/nologinfileexists, only rootis allowed to log in. Create the /etc/nologinfile to block otherusers from logging in to the system whileyou re performing system maintenance. Just besure to delete the file again when you re donebecause no other users (other than root) areallowed to log in while /etc/nologinexists. When the authentication rules are met, and PAMis satisfied that the user is who he or she claimsto be, PAM moves on to the account rules. Authentication rules lay out the procedure usersmust follow in order to prove that they are whothey claim to be. Account rules kick in after theauthentication process is completed. Line 5:This is the only account rule in this file. The rule simply defers to the account rules in/etc/pam.d/system-auth. You can use accountrules to enforce policies that aren t related toauthentication but are still important passwordaging, disabled accounts, and so on. The system-authfile holds the most com- monly used system configuration rules. Youcan look inside the file with the following command: $ kedit /etc/pam.d/system-authLooking in the system-authfile tells you that thepam_unix.somodule is being invoked. Thepam_unix.somodule is responsible for passwordaging and other account-related concerns. When the account-related issues have been satis- fied, the loginprogram requests that PAM sat- isfy any session rules that are required. Bylooking in the configuration file (lines 6 and 7), you can see two session rules one requiredand one optional. Line 6:The required rule is applied first. Therequired rule defers to the system-authconfigura- tion file rules, where the pam_limits.somoduleand the pam_unix.somodule are required to sat- isfy requirements before the loginprogram cancontinue. pam_limits.soenforces limits imposedby the /etc/security/limits.conffile (limits ondisk usage, CPU usage, memory usage, and so on). The requirements of the pam_limits.somodulemust be met before login is allowed to continue. Line 7: Optional rules don t need to be satisfied tocontinue they re optional. This rule specifiesthat the pam_console.somodule may or may notbe satisfied before the loginprogram continues. The pam_consolemodule changes the filepermissions when you log in at the console, and changes them back when you log out. The theory behind pam_consoleis that if youhave physical access to the machine, youshould have physical access to the peripherals. This is a fairly volatile module, and not one werecommend playing with. Line 8: The password rule is invoked only whenthe loginprogram requests that a password bechanged. Then PAM looks in the configurationfile, sees that the password rule requires that thesystem-authpassword rules be satisfied beforethe user is allowed to change the password. Inour system-authfile, the password rule requiresthat the pam_cracklibmodule be satisfied beforethe new password is accepted. Notice that pass- word rules aren t actually part of the authentica- tion sequence they re only used to change thepassword (or retina scan, or fingerprint, or what- ever you have configured).
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.

configuration file by prefixing the commentswith a #. The next three rules are invoked, in order, duringthe authentication phase. (They all start with theword auth.) Line 2:The first authentication rule invokesthepam_securetty.somodule. If you trackdownthe documentation for that module (see/usr/share/doc/pam-0.77/txts/README. pam_securetty), you see that this module allowsprivileged (that is, root) logins only from specificworkstations. The idea behind securettyis thatyou can physically secure certain workstations(by placing them behind a locked door) and thenallow rootlogins from only those workstations. Because therule is required(see the secondcolumn), pam_securetty.somust return a posi- tive response before PAM will continue withauthentication. pam_securetty.somakes sure that privilegedusers (like root) cannot log in from remotecomputers. They have to be sitting at one ofthe workstations listed in /etc/securetty. Line 3:The second authrule requires that thepam_stack.somodule return a positive responsewhen passed the argument service=system-auth. pam_stack.sodoesn t really do any authentica- tion checks by itself. Instead, it switches over to acommon set of rules stored in another configura- tion file. Keeping commonly used rules in a singlefile makes it easier to manage PAM configuration. pam_stack.soreturns a positive response if therules in the otherfile (in this case, /etc/pam.d/ system-auth) are satisfied. Dissecting a Configuration FileModifying a PAM configuration file isn t difficult, butthe format appears pretty cryptic at first. In this sec- tion, we show you a typical configuration file andexplain what each line does. After you can read aPAM configuration file, you can tailor your own filesto more closely match your needs. Each file in the /etc/pam.ddirectory controls PAMauthentication for a single client. A client roughlyequates to a program, and the filename is the sameas the program name. The /etc/pam.d/loginfile contains all the authentication rules for the loginprogram, the sshdfile contains all the authenticationrules for ssh, and so on. The contents of your PAM configuration filesmay vary. The following is just an example ofone possible configuration for a login file. To peek into the loginconfiguration file, open a ter- minal window and enter the following command: $ kedit /etc/pamd.d/loginThe PAM configuration file opens, displaying theauthentication rules for the logincommand, asshown in Listing 30-1. Here s a line-by-line breakdown of the rules in this file: Line 1:The first line in /etc/pam.d/loginis acomment. You can ignore that line for now, butnotice that you can include comments in a LISTING30-1: THEPAM LOGINCONFIGURATIONFILE1 - #%PAM-1.02 - auth required pam_securetty.so3 - auth required pam_stack.so service=system-auth4 - auth required pam_nologin.so5 - account required pam_stack.so service=system-auth6 - session required pam_stack.so service=system-auth7 - session optional pam_console.so8 - password required pam_stack.so service=system-auth37_
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.