By Kurt Seifried [email protected]
There are a variety of tools to make administration of systems easier, from
local tools like sudo which grant limited superuser privileges to www based
systems that allow for remote management from a cybercafe while on vacation.
Local tools
While it is possible to administer a Linux system from the command line using
no "additional" tools it can be bothersome. If you wish to split up
administrative tasks the
"sub administrators" will often require root access to restart daemons,
modify configuration files and so forth. Simply giving them all root access, or
sharing the root password is often the first step to serious problem (this is
one of the major reasons many large sites get broken into).
YaST
YaST (Yet Another Setup Tool) is a rather nice command line graphical
interface (very similar to scoadmin) that provides an easy interface to most
administrative tasks. It does not however have any provisions for giving users
limited access, so it is really only useful for cutting down on errors, and
allowing new users to administer their systems. Another problem is unlike
Linuxconf it is not network aware, meaning you must log into each system you
want to manipulate. YaST version two is now available and includes many new
features as well as bug fixes, it is recommended you upgrade.
sudo
Sudo gives a user setuid access to a program(s), and you can specify which
host(s) they are allowed to login from (or not) and have sudo access (thus if
someone breaks into an account, but you have it locked down damage is
minimized). You can specify what user a command will run as, giving you a
relatively fine degree of control. If you must grant users access, be sure to
specify the hosts they are allowed to log in from when using sudo, as well give
the full pathnames to binaries, it can save you significant grief in the long
run (i.e. if I give a user sudo access to "adduser", there is nothing to stop
them editing their path statement, and copying bash to /tmp/adduser and grabbing
control of the box.). This tool is very similar to super but with slightly less
fine grained control. Sudo is available for most distributions as a core package
or a contributed package. Sudo is available from https://www.courtesan.com/sudo/ (just in case your distribution
does not ship with it). Sudo allows you to define groups of hosts, groups of
commands, and groups of users, making long term administration simpler. Several
/etc/sudoers examples:
#Give the user 'seifried' full access
seifried ALL=(ALL) ALL
#Create a group of users, a group of hosts, and allow then to shutdown the server as root
Host_Alias WORKSTATIONS=localhost, station1, station2
User_Alias SHUTDOWNUSERS=bob, mary, jane
Cmnd_Alias REBOOT=halt, reboot, sync
Runas_Alias REBOOTUSER=admin
SHUTDOWNUSERS WORKSTATIONS=(REBOOTUSER) REBOOT
Super
Super is one of the very few tools that can actually be used to give certain
users (and groups) varied levels of access to system administration. In addition
to this you can specify times and allow access to scripts, giving setuid access
to even ordinary commands could have unexpected consequences (any editor, any
file manipulation tools like chown, chmod, even tools like lp could compromise
parts of the system). Debian ships with super, and there are rpm's available in
the contrib directory. This is a very powerful tool (it puts sudo to shame in
some ways), but requires a significant amount of effort to implement properly
(like any powerful tool), and I think it is worth the effort. Some example
config files are usually in the /usr/doc/super-xxxx/ directory. Super is
avialable ftp://ftp.ucolick.org/pub/users/will/.
WWW based tools
WWW based administration tools provide an attractive solution since virtually
every modern computer and Internet access point is web capable (sometimes that
is all they are capable of).
Webmin
Webmin has had number of security problems so make sure you are using the
most recent one. Webmin is one of the better remote administration tools for
Linux, written primarily in Perl it is easy to use and easy to setup. You can
assign different 'users' (usernames and passwords are held internally by Webmin)
varying levels of access, for example you could assign bob access to shutdown
the server only, and give john access to create/delete and manipulate users
only. In addition to this it works on most Linux platforms and a variety of
other UNIX platforms. The main 'problem' with Webmin is somewhat poor
documentation in some areas of usage, and the fact that the username/password
pair are sent in clear text over the network (this is minimized slightly by the
ability to grant access to only certain hosts(s) and networks). Most importantly
it makes the system more accessible to non-technical people who must administer
systems in such a way that you do not have to grant them actual accounts on the
server. Webmin is available https://www.webmin.com/webmin/, and is currently free. Webmin
defaults to running on port 10000 and should be firewalled.
Linuxconf
Linuxconf is a general purpose Linux administration tool that is usable from
the command line, from within X, or via it's built in www server. From within X
it provides an overall view of everything that can be configured (PPP, users,
disks, etc.). To use it via a www browser you must first run Linuxconf on the
machine and add the host(s) or network(s) you want to allow to connect (Conf
> Misc > Linuxconf network access), save changes and quit. Then when you
connect to the machine (by default Linuxconf runs on port 98) you must enter a
username and password. By default Linuxconf only accepts root as the account,
and Linuxconf doesn't support any encryption (it runs standalone on port 901),
so I would have to recommend very strongly against using this feature across
networks unless you have IPSec or some other form of IP level security.
Linuxconf ships with several distributions and is available https://www.solucorp.qc.ca/linuxconf/. Linuxconf also doesn't
seem to ship with any man pages/etc, the help is contained internally which is
slightly irritating.
Other network based tools
On the other hand web based administration tools tend to be limited, and are
typically not designed for hetrogenous installations (i.e. Linux, HP-UX, AIX and
so forth). "Industrial" strength tools may be called for, like the following
ones.
Pikt
Pikt is an extremely interesting tool, it is actually more of a scripting
language aimed at system administration then a simple program. Pikt allows you
to do things such as killing off idle user processes, enforcing mail quotas,
monitor the system for suspicious usage patterns (off hours, etc), and much
more. About the only problem with Pikt will be a steep learning tools, as it
uses it's own scripting language, but ultimately I think mastering this language
will pay off if you have many systems to administer (especially since Pikt runs
on Solaris, Linux and FreeBSD currently). Pikt is available at: https://www.pikt.org/.
VNC
Virtual Network Computer (VNC) is similar to X or PCAnywhere. You can display
a graphical desktop, and control it remotely, with NT or Linux as the server
and/or client. VNC across 10 megabit Ethernet is quite good, however it does
tend to use a lot of computer power relative to other methods of remote
administration. You can get VNC https://www.uk.research.att.com/vnc/. Security VNC isn't so
great, but there are several sites with information on securing VNC, using SSL,
SSH and other methods. There is also a page on securing VNC with SSH port
forwarding at: https://www.zip.com.au/~cs/answers/vnc-thru-firewall-via-ssh.txt.
cfengine
cfengine is a set of tools for automating administration tasks and is network
aware. You can get cfengine at https://www.cfengine.org/
