Shashikant shah

Sunday 22 August 2021

Setup ACL and sudoers on centos 7

1    How to create user and password.
#useradd  <username>
#passwd <username>
 

2    How to change primary and secondary group of the user.
2.1    Create a new group.
# groupadd  <groupname>
 

2.2    Change the primary group of the user.
# id <username>
# usermod -g <groupname> <user_name>
 

2.3    Change the secondary group of the user.
# sudo usermod -a -G  <groupname> <user_name>
# grep <groupname> /etc/group


3    How to Remove a User From a Group
# gpasswd -d  <user_name>  <groupname>


4    How to add users and groups to sudoers on Centos 7.
4.1    Aliases
we get into adding user permission entries to sudo template, it is important to understand how aliases work. Sudoers aliases come in the form of:

    User_Alias — specifies a group of users by username

    Runas_Alias — specifies a group of users by UID

    Host_Alias — specifies a list of hostnames

    Cmnd_Alias — specifies a list of commands and directories

4.2   create a file in /etc/sudoers.d/<date>_optus_template
#vim /etc/sudoers.d/<date>_optus_template
############# group ime_group ##############
User_Alias OPTUS_IME_GROUP = %ime_group
Runas_Alias ROOT = root
Host_Alias ALL_HOST = ALL
Cmnd_Alias SYSADMIN = ALL
Cmnd_Alias NONROOT = /usr/bin/su,/usr/bin/sh,/usr/bin/bash,/usr/sbin/visudo,/usr/bin/passwd,/usr/bin/rm -rf /etc/sudoers.d/*,/usr/bin/rm /etc/sudoers.d/*,/bin/ls -[A-Za-z] /data/*
###########Sudo Stanza######
OPTUS_IME_GROUP ALL_HOST = (ROOT) NOPASSWD:SYSADMIN,!NONROOT

4.3 check sudo file.
#visudo -c
or
#visudo -cf /var/tmp/sudoers.new  

ref URL :-
https://www.linux.com/topic/networking/how-wrestle-control-sudo-sudoers/


5    How to Apply ACL for feed dir.

5.1    User Home directory only read and execute permission.
Note1 :- do not give full permission at the user home directory.
Note2 :- do not apply ACL on the .ssh directory.

# setfacl -m g:<group_name>:rx  <user_home_dir>

5.2    Data directory only read, write and execute permission.
# cd /home/user_name
# setfacl -R -d -m g:<group_name>:rwx  <dir_name>
#setfacl -Rm g: <group_name>:rwx  <dir_name>

4.3    How to verify ACL and delete ACL.

For acl verify
# getfacl  <dir_name>

For all acl delete
# setfacl -R -b  <dir_name>

############### How to create service in centos 7 ########

# cd /usr/lib/systemd/system

# vim adaptor.service

[Unit]
Description=Jboss adaptor service

[Service]
User=root
Group=root
Type=oneshot
RemainAfterExit=true
ExecStart=/data/cis/admin/JBossEAP7.2/jboss-eap-7.2-adaptor/jboss-Adapter.sh start
ExecStop=/data/cis/admin/JBossEAP7.2/jboss-eap-7.2-adaptor/jboss-Adapter.sh stop

[Install]
Wantedby=multi-user.target

# systemctl daemon-reload

# systemctl enable adaptor.service

# systemctl start adaptor.service

# systemctl status adaptor.service -l

# ps -elf | grep "adaptor"

# systemctl stop adaptor.service

# systemctl status adaptor.service -l

# ps -elf | grep "adaptor"

Posted by at No comments:
Subscribe to: Posts (Atom)