Written by Kurt Seifried
There are a variety of tools to make administration of systems easier, from local tools like sudo which grant limited superuser privileges, to Webmin and Linuxconf which are www based systems. For information on how to login remotely (i.e. via telnet or ssh) please see the shell server section.
YaST (Yet Another Setup Tool) is a rather nice command line graphical interface (very similar to scoadmin) that provides an easy interface to most administrative tasks. It does not however have any provisions for giving users limited access, so it is really only useful for cutting down on errors, and allowing new users to administer their systems. Another problem is unlike Linuxconf it is not network aware, meaning you must log into each system you want to manipulate.
Sudo gives a user setuid access to a program(s), and you can specify which host(s) they are allowed to login from (or not) and have sudo access (thus if someone breaks into an account, but you have it locked down damage is minimized). You can specify what user a command will run as, giving you a relatively fine degree of control. If you must grant users access, be sure to specify the hosts they are allowed to log in from when using sudo, as well give the full pathnames to binaries, it can save you significant grief in the long run (i.e. if I give a user sudo access to "adduser", there is nothing to stop them editing their path statement, and copying bash to /tmp/adduser and grabbing control of the box.). This tool is very similar to super but with slightly less fine grained control. Sudo is available for most distributions as a core package or a contributed package. Sudo is available at: http://www.courtesan.com/sudo/ just in case your distribution doesn’t ship with it Sudo allows you to define groups of hosts, groups of commands, and groups of users, making long term administration simpler. Several /etc/sudoers examples:
#Give the user ‘seifried’ full access seifried ALL=(ALL) ALL
#Create a group of users, a group of hosts, and allow then to shutdown the server as root Host_Alias WORKSTATIONS=localhost, station1, station2 User_Alias SHUTDOWNUSERS=bob, mary, jane Cmnd_Alias REBOOT=halt, reboot, sync Runas_Alias REBOOTUSER=admin SHUTDOWNUSERS WORKSTATIONS=(REBOOTUSER) REBOOT
Super is one of the very few tools that can actually be used to give certain users (and groups) varied levels of access to system administration. In addition to this you can specify times and allow access to scripts, giving setuid access to even ordinary commands could have unexpected consequences (any editor, any file manipulation tools like chown, chmod, even tools like lp could compromise parts of the system). Debian ships with super, and there are rpm's available in the contrib directory. This is a very powerful tool (it puts sudo to shame in some ways), but requires a significant amount of effort to implement properly (like any powerful tool), and I think it is worth the effort. Some example config files are usually in the /usr/doc/super-xxxx/ directory. The primary distribution site for super is at: ftp://ftp.ucolick.org/pub/users/will/.
runas is very similar to sudo and Super with some variations. You create a config file listing the command, what it runs as, and which users/groups/etc. are allowed to run it as such. In addition to this however you can restrict the use of options (arguments), and you can prompt the user for a reason (which is logged to syslog). This is one of my favorite features, as with a little training, you can have your admin staff documenting what they do in a relatively painless fashion (i.e.: “wanted to reboot server because of memory leak”). You can download runas from: http://www.mindspring.com/~carpinello/runas/index.html.
Webmin is one of the better remote administration tools for Linux, written primarily in Perl it is easy to use and easy to setup. You can assign different 'users' (usernames and passwords are held internally by webmin) varying levels of access, for example you could assign bob access to shutdown the server only, and give john access to create/delete and manipulate users only. In addition to this it works on most Linux platforms and a variety of other UNIX platforms. The main 'problem' with webmin is somewhat poor documentation in some areas of usage, and the fact that the username/password pair are sent in clear text over the network (this is minimized slightly by the ability to grant access to only certain hosts(s) and networks). Most importantly it makes the system more accessible to non-technical people who must administer systems in such a way that you do not have to grant them actual accounts on the server. Webmin is available at: http://www.webmin.com/webmin/, and is currently free. Webmin defaults to running on port 10000 and should be firewalled:
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 10000
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0
10000
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 10000
or in ipchains:
ipchains -A input -p all -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0
10000
ipchains -A input -p all -j ACCEPT -s some.trusted.host -d
0.0.0.0/0 10000
ipchains -A input -p all -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 10000
Linuxconf is a general purpose Linux administration tool that is usable from the command line, from within X, or via it's built in www server. It is my preferred tool for automated system administration (I primarily use it for doing strange network configurations), as it is relatively light from the command line (it is actually split up into several modules). From within X it provides an overall view of everything that can be configured (PPP, users, disks, etc.). To use it via a www browser you must first run Linuxconf on the machine and add the host(s) or network(s) you want to allow to connect (Conf > Misc > Linuxconf network access), save changes and quit. Then when you connect to the machine (by default Linuxconf runs on port 98) you must enter a username and password. By default Linuxconf only accepts root as the account, and Linuxconf doesn't support any encryption (it runs standalone on port 901), so I would have to recommend very strongly against using this feature across networks unless you have IPSec or some other form of IP level security. Linuxconf ships with Red Hat Linux and is available at: http://www.solucorp.qc.ca/linuxconf/. Linuxconf also doesn't seem to ship with any man pages/etc, the help is contained internally which is slightly irritating.
The COAS project (Caldera Open Administration System) is a very ambitious project to provide an open framework for administering systems, from a command line (with semi graphical interface), from within X (using the qt widget set) to the web. It abstracts the actual configuration data by providing a middle layer, thus making it suitable for use on disparate Linux platforms. Version 1.0 was just released, so it looks like Caldera is finally pushing ahead with it. The COAS site is at: http://www.coas.org/.
WebRAT is a web based administration tool for networks. You can get it at: http://hq.hellug.gr/~webrat/.
Pikt is an extremely interesting tool, it is actually more of a scripting language aimed at system administration then a simple program. Pikt allows you to do things such as killing off idle user processes, enforcing mail quotas, monitor the system for suspicious usage patterns (off hours, etc), and much more. About the only problem with Pikt will be a steep learning tools, as it uses it’s own scripting language, but ultimately I think mastering this language will pay off if you have many systems to administer (especially since Pikt runs on Solaris, Linux and FreeBSD currently). Pikt is available at: http://pikt.uchicago.edu/pikt/.
Virtual Network Computer (VNC) is similar to X or PCAnywhere. You can display a graphical desktop, and control it remotely, with NT or Linux as the server and/or client. VNC across 10 megabit Ethernet is quite good, however it does tend to use a lot of computer power relative to other methods of remote administration. You can get VNC from: http://www.uk.research.att.com/vnc/. Security VNC isn't so great, but there are several sites with information on securing VNC, using SSL, SSH and other methods. MindVNC is a java client that uses SSH, available from: http://www.mindbright.com/english/technology/products/mindvnc.html. There is a patch available to add encryption to VNC here at: http://web.mit.edu/thouis/vnc/. There is also a page on securing VNC with SSH port forwarding at: http://www.zip.com.au/~cs/answers/vnc-thru-firewall-via-ssh.txt.
cfengine is a set of tools for automating administration tasks and is network aware. You can get cfegine from: http://www.iu.hioslo.no/cfengine/.
SAS is currently specific to Stormix (a new Linux distribution), you can get it from: http://www.stormix.com/products/sas/index_html.
| Written by Kurt Seifried |