By Kurt Seifried [email protected]
There are a variety of tools to make administration of systems easier, from local tools like sudo which grant limited superuser privileges to www based systems that allow for remote management from a cybercafe while on vacation. For information on how to login remotely (i.e. interactive shell prompts) please see the shell server section.
While it is possible to administer a Linux system from the command line using no "additional" tools it can be bothersome. If you wish to split up administrative tasks the "sub administrators" will often require root access to restart daemons, modify configuration files and so forth. Simply giving them all root access, or sharing the root password is often the first step to serious problem (this is one of the major reasons many large sites get broken into).
YaST (Yet Another Setup Tool) is a rather nice command line graphical interface (very similar to scoadmin) that provides an easy interface to most administrative tasks. It does not however have any provisions for giving users limited access, so it is really only useful for cutting down on errors, and allowing new users to administer their systems. Another problem is unlike Linuxconf it is not network aware, meaning you must log into each system you want to manipulate. YaST version two is now available and includes many new features as well as bug fixes, it is recommended you upgrade.
Sudo gives a user setuid access to a program(s), and you can specify which host(s) they are allowed to login from (or not) and have sudo access (thus if someone breaks into an account, but you have it locked down damage is minimized). You can specify what user a command will run as, giving you a relatively fine degree of control. If you must grant users access, be sure to specify the hosts they are allowed to log in from when using sudo, as well give the full pathnames to binaries, it can save you significant grief in the long run (i.e. if I give a user sudo access to "adduser", there is nothing to stop them editing their path statement, and copying bash to /tmp/adduser and grabbing control of the box.). This tool is very similar to super but with slightly less fine grained control. Sudo is available for most distributions as a core package or a contributed package. Sudo is available from http://www.courtesan.com/sudo/ (just in case your distribution does not ship with it). Sudo allows you to define groups of hosts, groups of commands, and groups of users, making long term administration simpler. Several /etc/sudoers examples:
#Give the user seifried full access seifried ALL=(ALL) ALL
#Create a group of users, a group of hosts, and allow then to shutdown the server as root Host_Alias WORKSTATIONS=localhost, station1, station2 User_Alias SHUTDOWNUSERS=bob, mary, jane Cmnd_Alias REBOOT=halt, reboot, sync Runas_Alias REBOOTUSER=admin SHUTDOWNUSERS WORKSTATIONS=(REBOOTUSER) REBOOT
Super is one of the very few tools that can actually be used to give certain users (and groups) varied levels of access to system administration. In addition to this you can specify times and allow access to scripts, giving setuid access to even ordinary commands could have unexpected consequences (any editor, any file manipulation tools like chown, chmod, even tools like lp could compromise parts of the system). Debian ships with super, and there are rpm's available in the contrib directory. This is a very powerful tool (it puts sudo to shame in some ways), but requires a significant amount of effort to implement properly (like any powerful tool), and I think it is worth the effort. Some example config files are usually in the /usr/doc/super-xxxx/ directory. Super is avialable ftp://ftp.ucolick.org/pub/users/will/.
WWW based administration tools provide an attractive solution since virtually every modern computer and Internet access point is web capable (sometimes that is all they are capable of).
Webmin has had number of security problems so make sure you are using the most recent one. Webmin is one of the better remote administration tools for Linux, written primarily in Perl it is easy to use and easy to setup. You can assign different 'users' (usernames and passwords are held internally by Webmin) varying levels of access, for example you could assign bob access to shutdown the server only, and give john access to create/delete and manipulate users only. In addition to this it works on most Linux platforms and a variety of other UNIX platforms. The main 'problem' with Webmin is somewhat poor documentation in some areas of usage, and the fact that the username/password pair are sent in clear text over the network (this is minimized slightly by the ability to grant access to only certain hosts(s) and networks). Most importantly it makes the system more accessible to non-technical people who must administer systems in such a way that you do not have to grant them actual accounts on the server. Webmin is available http://www.webmin.com/webmin/, and is currently free. Webmin defaults to running on port 10000 and should be firewalled.
Linuxconf is a general purpose Linux administration tool that is usable from the command line, from within X, or via it's built in www server. From within X it provides an overall view of everything that can be configured (PPP, users, disks, etc.). To use it via a www browser you must first run Linuxconf on the machine and add the host(s) or network(s) you want to allow to connect (Conf > Misc > Linuxconf network access), save changes and quit. Then when you connect to the machine (by default Linuxconf runs on port 98) you must enter a username and password. By default Linuxconf only accepts root as the account, and Linuxconf doesn't support any encryption (it runs standalone on port 901), so I would have to recommend very strongly against using this feature across networks unless you have IPSec or some other form of IP level security. Linuxconf ships with several distributions and is available http://www.solucorp.qc.ca/linuxconf/. Linuxconf also doesn't seem to ship with any man pages/etc, the help is contained internally which is slightly irritating.
On the other hand web based administration tools tend to be limited, and are typically not designed for hetrogenous installations (i.e. Linux, HP-UX, AIX and so forth). "Industrial" strength tools may be called for, like the following ones.
Pikt is an extremely interesting tool, it is actually more of a scripting language aimed at system administration then a simple program. Pikt allows you to do things such as killing off idle user processes, enforcing mail quotas, monitor the system for suspicious usage patterns (off hours, etc), and much more. About the only problem with Pikt will be a steep learning tools, as it uses its own scripting language, but ultimately I think mastering this language will pay off if you have many systems to administer (especially since Pikt runs on Solaris, Linux and FreeBSD currently). Pikt is available at: http://pikt.uchicago.edu/pikt/.
Virtual Network Computer (VNC) is similar to X or PCAnywhere. You can display a graphical desktop, and control it remotely, with NT or Linux as the server and/or client. VNC across 10 megabit Ethernet is quite good, however it does tend to use a lot of computer power relative to other methods of remote administration. You can get VNC http://www.uk.research.att.com/vnc/. Security VNC isn't so great, but there are several sites with information on securing VNC, using SSL, SSH and other methods. There is also a page on securing VNC with SSH port forwarding at: http://www.zip.com.au/~cs/answers/vnc-thru-firewall-via-ssh.txt.
cfengine is a set of tools for automating administration tasks and is network aware. You can get cfengine http://www.cfengine.org/.
Last updated on 5/9/2001
Copyright Kurt Seifried 2001 [email protected]