Tech Punch

Wednesday, 7 September 2022

Privilege escalation with sudo

Normal user in Linux can be allowed to execute privileged commands with sudo rights.

Sudoers configuration file is /etc/sudoers, however editing this file directly is not advisable either you can use visudo to edit this file or create a template file under /etc/sudoers.d.

I would suggest use template file under /etc/sudoers.d which will be more easier to manage multiple user privileges and it can me efficient in managing granular access.

Syntax - Who Where = (Runas-Who:group) What_Commands

Who - which user you want to give sudo rights/privilege.

where - In what server you want to grant the user access to execute mentioned commands.

Runas-Who:group - As which user will the user execute the granted commands.

What_commands - Finally the commands that you want to provide access to user for executing.

User Shiva is a normal user here and he is now allowed to list the repositories on the server without providing root password.

NOPSSWD directive may be a security issue as it will not ask for a password when elevating privilege to execute the command.

To over come this security issue you may use the line "defaults !targetpw" - This will ask for the users password when elevating privilege.

Example:

# visudo /etc/sudoers.d/shiva
defaults !targetpw
shiva ALL = (ALL:ALL) /usr/sbin/yum repolist

You can also enforce asking for root users password when elevating privilege.

"defaults targetpw"

Best practice:

Edit sudoers file with visudo which will validate the content when exiting and if anything wrong in the format it will show you error and you can edit the file to fix the issues.

While editing the sudoers template, ensure you have two session opened with root rights and let one session be running with TOP command. After implementing sudoers config make sure that sudo command is working without any problem on a new session and then you can terminate the top command and its session. It would be helpful if the sudoers went wrong and you are locked out of root.

This situation can occur when you have wrong sudo file and there is no root user login allowed directly.

To validate the sudoers configuration you created using visudo -vf %s if it is formatted correctly

Wednesday, 15 June 2022

Linux - HA Cluster Maintenance

What is a cluster ?

A group or collection of servers that is providing same service/application.

In this blog we will see about setting cluster into maintenance mode and releasing cluster out of maintenance mode.

What is Maintenance mode ?

Maintenance mode is when the server is not available to service the customers and is currently undergoing a maintenance task.

With HA Cluster enabled, If we need to perform some activity on the cluster managed pools/servers, we will need to enable cluster maintenance mode so that you do not see any unexpected behaviors from the system.

To enable cluster Maintenance following command is used.

For SUSE Clusters

crm configure property maintenance-mode=true

For Redhat Cluster

pcs property set maintenance-mode=true

When you have enabled/set the Maintenance mode you can perform start/stop or any config update on the cluster managed resources. During this period cluster will not interfere with these resources.

Once we have completed the required activity to release cluster from maintenance mode following command is used.

For SUSE Clusters

crm configure property maintenance-mode=false

For Redhat Cluster

pcs property set maintenance-mode=false

Sunday, 12 June 2022

Creating and modifying user in Linux

By default when you Install Linux Operating system a user will be created and that user will have full sudo privilege. However when ever you create a user after installing OS, you will need to provision required privilege for that user. In this blog i will show you few commands with useradd and usermod.

The following user karthick has been created when OS was installed and this user is added to the Wheel group to get the sudo privilege. User karthick can run privileged commands with his password.

To create a normal user in command line providing the users home directory and UID we will use as -d to specify user home directory and -u for UID.

#useradd -d <Path_To_User's_HomeDirectory> -u UID

UID is a unique identifier number used to identify the user.

This user does not have privilege to execute root level commands. However if we need to provide root access we will need to add this user to wheel group. To do so we will use usermod command

Adding users to this wheel group will gain complete root access for the user.

If you do not want user to have complete root access and instead provide granular or role based access we can provision that through sudo template. you can create a sudoers template/drop-in file under /etc/sudoers.d directory.

We will see about sudoers template file in much more detail in upcoming blogs.

Wednesday, 10 November 2021

zmprov commands in zimbra

zmprov commands are used for provisioning in zimbra.

syntax - zmprov command argument

gaà Get account – gets current value

maà Modify account – modifies current value to specified value.

gcfà get configuration – gets current configuration

mcfà modify configuration – Modifies current configuration to specified configuration.

1. To Change display name for a single user

$zmprov ga user@domain.com | grep displayName
displayName: User Name
$zmprov ma user@domain.com displayName "User Name1"
$zmprov ga user@domain.com | grep displayName
displayName: User Name1
$zmprov ga user@domain.com | grep zimbraPrefFromDisplay

2. To Modify Mail attachment size

Check current value

zmprov gcf zimbraMtaMaxMessageSize
zmprov gcf zimbraFileUploadMaxSize
zmprov gcf zimbraMailContentMaxSize

Modify size

zmprov mcf zimbraMtaMaxMessageSize 20971520
zmprov mcf zimbraFileUploadMaxSize 20971520
zmprov mcf zimbraMailContentMaxSize 52428800

3. To get &Modify Mail forwarding address.

zmprov ga user@domain.com zimbraPrefMailForwardingAddress
zmprov ma user@domain.com zimbraPrefMailForwardingAddressforward@domain.com

Monday, 8 November 2021

Install Zimbra on Centos 8

Zimbra is a open source email collaboration software. In this blog lets concentrate on how to install a single server setup of Zimbra.

Zimbra can be installed as a multi-server setup which we will visit in later blogs.

Following are the Pre-requisites to install zimbra.

Set a Fully Qualified Hostname(FQDN) = mail.jkzimbra.com
Update host file entry for the host in format - <ip> <FQHN> <HN>
Configure a static ip = 192.168.142.128
For now we can stop and disable firewalld, iptables, selinux. In later blogs we can go through how to configure these along with zimbra.
Install and set-up dns with a A and MX record. Here we will use dnsmasq software to accomplish this.
Finally update the system to latest patch level with yum update.
Download the zimbra setup from zimbra.com site. and place it in the server.
It is better to have a separate LVM for /opt as the whole zimbra setup and configuration will reside at this mount point.

CentOS version - CentOS Linux release 8.4.2105

Zimbra Version - zcs-8.8.15_GA_3953

Step 1: Perform yum update

Step 2: Set the hostname as fqdn with hostnamectl as shown in below image.

Step 3: Update host file to reflect as below with FQDN

Step 4:Set a static IP

Step 5: Stop and disable Firewalld and Selinux

Step 6: Install dnsmasq and configure dnsmasq.conf as below

# yum install dnsmasq

Start dnsmasq service - systemctl start dnsmasq

Query the mx record and it should return a MX record as shown below with the servers fqdn and correct ip address.

Note: If you are not getting proper result, you may need to update /etc/resolv.conf with correct dnsserver(which has this dnsmasq setup) - here it is the same zimbra server so i have used 192.168.142.128

Step 7: Download zimbra setup and move it to the server in /tmp or /home.

zcs-8.8.15_GA_3953.RHEL8_64.20200629025823.tgz

Extract the setup file as below

# tar -xzvf zcs-8.8.15_GA_3953.RHEL8_64.20200629025823.tgz

Now Lets start with the actual Install and configuration of Zimbra,

Issue the command from inside the zcs* directory.

# install.sh

Installation will start as below,

Answer "Y" where required

You will receive a DNS error, correct the domain name as you have configured in dns. This error will come as we have configured mx for domain name and not the hostname. you have to change the domain name here so give yes and then provide proper domain name.

You will be seeing the configuration menu as below,

Set the password for admin user. and view the ldap, postfix, and other users password using appropriate menu numbers.

You can also update the password here.

To go to previous menu you can type "r" and hit enter,

Once you have configured all required options you can apply the configuration - to do so type "a" and hit enter.

It will ask to save config file, type yes or hit enter to accept.

Finally the system to start modifying with given config type yes at the prompt and hit enter.

Sit back and relax, the setup will go through some time and you will get as below.

Zimbra servers will start now.

Post setup tasks

Set up the ssh keys. To populate the ssh keys, as Zimbra user (su-zimbra). Type zmupdateauthkeys and press Enter. The key is updated on /opt/zimbra/.ssh/authorized_keys.

Enabling Server Statistics Display. In order for the server statistics to display on the administration console, the syslog configuration files must be modified.

As root, type /opt/zimbra/libexec/zmsyslogsetup. This enables the server to display statistics.

Lets check the zimbra service status by logging as zimbra user.

zmcontrol status will give you all service status, all should be running. here dnscache is not running as we have configured dnsmasq and it is running on server it will be conflicting zimbra dnscache. so you can ignore.

You could have not installed this dnscache by giving "N" during the setup when it asks for dnscache installation or you can configure dnsmasq on separate server.

Now that we are all set here, Lets open the zimbra web client where we can send and receive emails.

Note: we can send mail to outside domain now but we will not be able to receive emails as we have not published our domin/MX to global dns - you can contact your domain provider like godaddy to do that.

Webmail link - https://ipaddress

Note: you will get a ssl warning accept and proceed as we have not yet installed any self signed certificate.

Admin account is already created during installation where you will get all zimbra service related emails. lets login and see how the web email looks,

Yay!! we got some emails. remember these are not external emails. we only get internal email until we set public dns.

Lets see how admin console looks like. admin console opens with port 7071

Admin console link - https://ipaddress:7071

Ignore the server status failed as it is showing for dnscache which we are not using now.

Thats all we still have a lot more on zimbra. we will get through them in later blogs.

Saturday, 6 November 2021

CronJob

Crontab is to schedule a job at given time or repeat a job at given intervals.

To create a new crontab issue crontab -e

To view the crontab issue crontab -l

[root@host1]# cat /etc/crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

# For details see man 4 crontabs

# Example of job definition:

# .---------------- minute (0 - 59)

# | .------------- hour (0 - 23)

# | | .---------- day of month (1 - 31)

# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...

# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# | | | | |

# * * * * * user-name command to be executed

[root@host1]#

Eg:- If you need to schedule a job to run at 12:30 daily then below to be updated in crontab

30 12 * * * command_to_be_executed

Setting host name in CentOS Linux 8

We can set host name to a Linux system by directly updating name in /etc/hostname file which will require reboot.

In CentOS Linux 8 and latest versions we have hostnamectl command that will do the job without need of reboot.

Command - hostnamectl

Syntax - hostnamectl set-hostname NAME

This will automatically update the /etc/hostname file and no reboot is required.