Security Policy – Allow normal user to su without password

All Unix and Linux system will ship with different default policies. Usually these policies don’t match the local policies, such as which users are allowed what kind of access to which resources and when. In addition security policies may require non-default authentication and/or logging.

A system administrator must examine the system’s configuration files and update them if necessary to enforce local policies. On modern systems PAM (Pluggable Authentication Modules) can be used to configure a wide range of security policies, including which databases to use to authenticate users, minimum password length, max login attempts, special permissions for console users (to various commands and devices), and many other policies.

wheel group policy

The wheel group enables you to define several system administrators and none of them need the root password. The group wheel was first used this way in Unix systems, but by using PAM any system can enable this handy feature. With proper PAM configuration any member of group wheel can become root by using the su command without supplying any password.

Exercies

1) Create a user who will work as a trusted users and assign password to that user.

#useradd master

#password master

2) Add this user in to wheel group’s member list.

#usermod -a -G wheel master

or

#usermod -G wheel master

3) Edit PAM configuration file for su that is /etc/pam.d/su and uncomment line

auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid

This will allow users in wheel group as a trusted users.

4) Now Login with user master and run command

#su -

By this master user can su to root without applying password.

Managing RHEL 5.1 VMs with the command line interface

By Ronald McCarty.

Deploying virtual machines (VMs) eases administrative tasks and decreases the amount of hardware required for an environment to operate; but ease of operating system administration becomes important for Linux administrators only after they have mastered the command line interface for virtualization. This tip covers the command line interface for managing RHEL 5.1 VMs.

Startup and shutdown
Virtual machines can also be gracefully started and shut down using the xm command. For example, to stop the www virtual machine use: xm shutdown www. To restart the www virtual machine, xm create www can be used. A reboot can also be issued with: xm reboot www. The shutdown is clean using the shutdown parameter. In the rare circumstance a virtual machine hangs, a forced shutdown can be achieved with xm destroy – for example, xm destroy www.

Poking around
Whenever inheriting an existing system , it is important to get a feel for this system. It would be a good idea to learn about its configurations and the location of all machines in it. We will cover here how RedHat, through its Xen xm commands, provides several useful parameters.The xm uptime command shows how long the hypervisor (host) has been up, as well as all virtual machines currently active on the system:

[root@axm1 ~]# xm uptime Name ID Uptime Domain-0 0 41 days, 21:19:52 ftp 8 41 days, 20:35:16 www 9 10 days, 0:57:31

The xm list command provides additional insight into the hypervisor and virtual machines:

[root@xm1 ~]# xm list Name ID Mem(MiB) VCPUs State Time(s) Domain-0 0 515 4 r----- 13464.0 ftp 8 255 1 -r---- 5516.2 www 9 1249 3 -r---- 2581.7

For this particular output, we see the logical IDs of the system, the amount of real (physical) memory assigned to the hypervisor and virtual machines, and the number of virtual processors assigned. The state of each system is also displayed (running:r, blocked:b, paused:p, or shutdown:s)

The virtual machine configuration files are stored in /etc/xen. Each virtual machine will have a configuration file matching that of the virtual machine name. For example, on this system:

[root@xm1 xen]# ls -l /etc/xen/

-rw------- 1 root root 482 Mar 24 18:36 ftp

-rw------- 1 root root 485 Mar 24 18:28 www

Examing the www virtual machine file shows the following:

View this coding,

[root@xm1 xen]# ls -l /etc/xen/

-rw——- 1 root root 482 Mar 24 18:36 ftp

-rw——- 1 root root 485 Mar 24 18:28 www

Examing the www virtual machine file shows the following:

[root@xm1 xen]# more ws1

name = “www”

uuid = “c3269948d3dcc5c4c38030a66256c719″

maxmem = 1250

memory = 1250

vcpus = 3

bootloader = “/usr/bin/pygrub”

kernel = “/var/lib/xen/boot_kernel.ixwVAq”

ramdisk = “/var/lib/xen/boot_ramdisk.r1-w-1″

extra = “ro root=/dev/VolGroup00/LogVol00 rhgb quiet”

on_poweroff = “destroy”

on_reboot = “restart”

on_crash = “restart”

vfb = [ "type=vnc,vncdisplay=0,keymap=en-us" ]

disk = [ "tap:aio:/var/lib/xen/images/ws1.img,xvda,w" ]

vif = [ "mac=00:16:3e:42:08:0e,bridge=xenbr0" ]

This config file shows memory, virtual cpus, the Ethernet MAC address, etc., that are used by the virtual machine.

Additional information about the particular hypervisor can also be gleaned using the info parameter:

View this info parameter,

[root@xm1 xen]# xm info

host : xm1

release : 2.6.18-53.el5xen

version : #1 SMP Wed Oct 10 17:06:12 EDT 2007

machine : i686

nr_cpus : 4

nr_nodes : 1

sockets_per_node : 2

cores_per_socket : 1

threads_per_core : 2

cpu_mhz : 3391

hw_caps : bfebfbff:20100000:00000000:00000180:0000649d

total_memory : 2047

free_memory : 1

xen_major : 3

xen_minor : 1

xen_extra : .0-53.el5

xen_caps : xen-3.0-x86_32p

xen_pagesize : 4096

platform_params : virt_start=0xf5800000

xen_changeset : unavailable

cc_compiler : gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)

cc_compile_by : brewbuilder

cc_compile_domain : build.redhat.com

cc_compile_date : Wed Oct 10 16:30:55 EDT 2007

xend_config_format : 2

Additional commands
A few additional commands are very specific and may not be useful in day-to-day operations. However, they can be useful in troubleshooting.The first, xm top, displays a breakdown of networking and cpu utilization of the hypervisor and the virtual machines. Xm top is interactive so you can see additional information on the screen by pressing N (networks), V (virtual CPUs), or S (sort order). The S actually changes the column you are sorting on starting at its far left (name), then cycles to the right.

The xm dmesg will print out the xm dmesg buffer. The buffer mimicks the normal Unix/Linux dmesg behavior; however, it is specific to Xen. You can also clear this buffer with the -c parameter added: xm -c dmesg.

Troubleshooting virtual machines often requires an analysis of the logs associated with the virtualization. To see Xen’s log file, use xm log or cat /var/log/xen/xend.log.