Knowledge Base (Posts about documentation)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Sun, 27 Feb 2022 04:04:54 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssThoughts on my documentation processhttps://bgstack15.ddns.net/blog/posts/2021/07/15/thoughts-on-my-documentation-process/bgstack15<p>When I write a solution for myself, such as my <a href="https://bgstack15.ddns.net/blog/posts/2021/02/02/web-gallery-solution/">gallery</a> or my <a href="https://bgstack15.ddns.net/blog/posts/2020/10/04/setting-up-a-transparent-proxy-for-internal-network/">transparent web proxy</a>, I write a master document that describes how I built it, why I built it, and how to use it. Why I built it usually starts the document, and explains what I needed it for: What problem it solves. Sometimes my solutions are proof-of-concept or demonstrations only. But still, I like to remind my future self of what it's for. How I built it ("Architecture") is the section that explains the initial steps, such as packages installed, users added, selinux contexts or policies built (and not necessarily the methodology for building an selinux policy, at this point, due to the <a href="https://bgstack15.ddns.net/blog/posts/2021/04/21/cgit-solution-for-my-network/#configureselinux">repetition</a>), pip packages versus system packages, and so on. Anything that I needed to do only once for the solution (per host, if a multi-node solution). The how to use it section is titled "Operations." I describe how to do tasks, such as set up a new entry or new instance, or modify a commonly-updated setting. This section tends to grow over time as I update the solution. On rare occasions I need to update the architecture section of the document because I had to make a one-time change for the solution. The how-to section can duplicate some information from the Architecture section, if I expect some of those first-time steps are what are repeated for the proposed future steps. When I publish a solution, I try to move all my configs to a separate conf file, so that I can include a <code>app.conf.example</code> file or similar, and exclude <code>app.conf</code> from source control. I even have a small sed script that helps scrub my private data:</p> <pre class="code literal-block"><span></span><code>$ sed -r -f /mnt/public/work/gitlab/scrub.sed &lt; app.conf &gt; app.conf.example </code></pre> <p>The contents of the script are mostly just substitutions.</p> <pre class="code literal-block"><span></span><code>s/privateservername([0-9]*)/serve\1/g; s/username73/exampleuser5/g; </code></pre> <p>I always include a References section, so that I can review my sources in the future. I do return to them, because I am seeking to expand my solution or fix a part that breaks (i.e., used to work but doesn't now).</p>documentationhttps://bgstack15.ddns.net/blog/posts/2021/07/15/thoughts-on-my-documentation-process/Thu, 15 Jul 2021 13:15:59 GMTUsers, Groups, and Access Policy for Linuxhttps://bgstack15.ddns.net/blog/posts/2020/07/24/users-groups-and-access-policy-for-linux/bgstack15<h2>Summary of policy</h2> <ol> <li>User accounts for humans must be domain accounts.</li> <li>Groups must be domain groups.</li> <li>Service accounts must be local accounts and have a unique uid within the entire environment.</li> <li>Passwordless login is allowed within guidelines.</li> <li>The name of a user or group must not have any spaces.</li> <li>Access to servers is granted to only groups, not individual users.</li> <li>Service accounts may be granted direct ssh access within guidelines.</li> </ol> <h2>Annotated policy</h2> <ol> <li>User accounts for humans must be domain accounts.</li> <li>Groups must be domain groups. <ol> <li>Centralized user and group administration is a corporate standard and is necessary for our scale of operations.</li> <li>The domain to use, unless under special circumstances, is Active Directory domain PROD1.</li> </ol> </li> <li>Service accounts must be local accounts. <ol> <li>Service accounts are used by applications and processes that should run independently of any individual users, and should not depend on domain resolution.</li> <li>UIDs for local accounts must be unique within the entire environment. For example, the service account "abcapp" is UID 9950 and no other local account can use that UID anywhere. These UIDs are managed by the Linux Engineering team in file <strong>control5:/etc/ansible/uid_gid</strong>.</li> </ol> </li> <li>Passwordless login is allowed within guidelines. <ol> <li>Kerberos (GSSAPI) authentication between hosts joined to the same domain is enabled by our server configuration standard.</li> <li>Ssh key authentication for users and service accounts is allowed and users may manage their own keys.</li> </ol> </li> <li>The name of a user or group must not have any spaces. <ol> <li>While spaces can technically be used, the complexity of supporting spaces in user and group names reduces the effectiveness of automation.</li> </ol> </li> <li>Access to servers is granted to only groups, not individual users. <ol> <li>To comply with RBAC guidelines, access must be provided to only groups, even if this means adding a group in the same domain as a single user to provide access to that user. A recommended group name is username_ssh, e.g., <strong>mysql_ssh</strong>.</li> </ol> </li> <li>Service accounts may be granted direct ssh access within guidelines. <ol> <li>Most access to service accounts is through <a href="https://bgstack15.ddns.net/blog/posts/2018/12/27/sudoers-policy/">sudo su $SERVICEACCOUNT</a>.</li> <li>Applications and processes with a valid business justification for direct ssh access will be granted direct access after approval . Abuse of a service account direct ssh access includes a human logging in to a service account over direct ssh to an interactive shell. Any such abuse may cause the service account direct ssh access to be revoked.</li> </ol> </li> </ol>documentationpolicyhttps://bgstack15.ddns.net/blog/posts/2020/07/24/users-groups-and-access-policy-for-linux/Fri, 24 Jul 2020 12:32:29 GMTFound: OBS service documentationhttps://bgstack15.ddns.net/blog/posts/2020/02/24/found-obs-service-documentation/bgstack15<p>For some unknown reason, it is really hard to find good documentation on how to use the _service file for the Open Build Service. The <a href="https://openbuildservice.org/">Open Build Service</a> (OBS) is a project from the openSUSE team, and they run a public instance at https://build.opensuse.org/. This server application provides a build environment for many distributions' package methods. I use it for my public Devuan packages (see my "OBS" link in the links section of this site, usually a sidebar on each page). The _service file has some generic documentation in the main <a href="https://openbuildservice.org/help/manuals/obs-user-guide/cha.obs.source_service.html">obs online man pages</a>. I find this documentation extremely lacking in explaining how to use a service file fully. And I've learned by examples extant on the public OBS instance already. So, just to be clear, a _service file is a file in an obs project, that defines a number of steps for the server to take. By default, each service runs for each commit, or whenever you select the "trigger services" button on the web page for a project. I finally found a list of <a href="https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService#All_OBS_services_available">available service names</a> to use! And the links take you to the projects on the Internet where they live and are fully documented. There are quite a few I plan on using in the future... like regex_replace.</p> <h3>Example _service file</h3> <p>With my service file set up to pull down the source debian/ directory as debian.tar.xz, and the entire source as a tar.gz, and extract out my .dsc file from that source, I can manage my OBS project way easier.</p> <pre class="code literal-block"><span></span><code><span class="nt">&lt;services&gt;</span> <span class="nt">&lt;service</span> <span class="na">name=</span><span class="s">"tar_scm"</span><span class="nt">&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"scm"</span><span class="nt">&gt;</span>git<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"url"</span><span class="nt">&gt;</span>https://gitlab.com/bgstack15/fluxbox-themes-stackrpms.git<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"subdir"</span><span class="nt">&gt;</span>debian<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"filename"</span><span class="nt">&gt;</span>debian<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"revision"</span><span class="nt">&gt;</span>local-dsc-file<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"version"</span><span class="nt">&gt;</span>_none_<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;service</span> <span class="na">name=</span><span class="s">"recompress"</span><span class="nt">&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"file"</span><span class="nt">&gt;</span>*.tar<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"compression"</span><span class="nt">&gt;</span>xz<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;service</span> <span class="na">name=</span><span class="s">"tar_scm"</span><span class="nt">&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"scm"</span><span class="nt">&gt;</span>git<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"url"</span><span class="nt">&gt;</span>https://gitlab.com/bgstack15/fluxbox-themes-stackrpms.git<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"revision"</span><span class="nt">&gt;</span>local-dsc-file<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"version"</span><span class="nt">&gt;</span>_none_<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;service</span> <span class="na">name=</span><span class="s">"recompress"</span><span class="nt">&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"file"</span><span class="nt">&gt;</span>*.tar<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"compression"</span><span class="nt">&gt;</span>gz<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;service</span> <span class="na">name=</span><span class="s">"extract_file"</span><span class="nt">&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"archive"</span><span class="nt">&gt;</span>*.tar.gz<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"files"</span><span class="nt">&gt;</span>*/*.dsc<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;/services&gt;</span> </code></pre> <p>The .dsc file is modified from the output from a proper <strong>debuild -us -uc</strong> locally. I learned the trick of zeroing out the checksums from another OBS project, <a href="https://build.opensuse.org/package/view_file/home:hawkeye116477:waterfox/waterfox-classic-kpe/_service:extract_file:waterfox-classic-kpe-Debian_9.0.dsc?expand=1">waterfox-classic- kpe</a>.</p> <pre class="code literal-block"><span></span><code><span class="n">Format</span><span class="o">:</span> <span class="mf">3.0</span> <span class="o">(</span><span class="n">quilt</span><span class="o">)</span> <span class="n">Source</span><span class="o">:</span> <span class="n">fluxbox</span><span class="o">-</span><span class="n">themes</span><span class="o">-</span><span class="n">stackrpms</span> <span class="n">Binary</span><span class="o">:</span> <span class="n">fluxbox</span><span class="o">-</span><span class="n">themes</span><span class="o">-</span><span class="n">stackrpms</span> <span class="n">Architecture</span><span class="o">:</span> <span class="n">all</span> <span class="n">Version</span><span class="o">:</span> <span class="mf">0.0</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mi">1</span><span class="o">+</span><span class="n">devuan</span> <span class="n">Maintainer</span><span class="o">:</span> <span class="n">Ben</span> <span class="n">Stack</span> <span class="n">Homepage</span><span class="o">:</span> <span class="sr">/posts/</span> <span class="n">Standards</span><span class="o">-</span><span class="n">Version</span><span class="o">:</span> <span class="mf">4.1</span><span class="o">.</span><span class="mi">4</span> <span class="n">Build</span><span class="o">-</span><span class="n">Depends</span><span class="o">:</span> <span class="n">debhelper</span> <span class="o">(&gt;=</span> <span class="mi">12</span><span class="o">~)</span> <span class="n">Package</span><span class="o">-</span><span class="n">List</span><span class="o">:</span> <span class="n">fluxbox</span><span class="o">-</span><span class="n">themes</span><span class="o">-</span><span class="n">stackrpms</span> <span class="n">deb</span> <span class="n">x11</span> <span class="n">optional</span> <span class="n">arch</span><span class="o">=</span><span class="n">all</span> <span class="n">Files</span><span class="o">:</span> <span class="mi">00000000000000000000000000000000</span> <span class="mi">1</span> <span class="n">fluxbox</span><span class="o">-</span><span class="n">themes</span><span class="o">-</span><span class="n">stackrpms_0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">.</span><span class="na">orig</span><span class="o">.</span><span class="na">tar</span><span class="o">.</span><span class="na">gz</span> <span class="mi">00000000000000000000000000000000</span> <span class="mi">1</span> <span class="n">fluxbox</span><span class="o">-</span><span class="n">themes</span><span class="o">-</span><span class="n">stackrpms_0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">-</span><span class="mi">1</span><span class="o">+</span><span class="n">devuan</span><span class="o">.</span><span class="na">debian</span><span class="o">.</span><span class="na">tar</span><span class="o">.</span><span class="na">xz</span> </code></pre> <p>And since the filenames do not match, I think that section is not even necessary. Thankfully OBS figures out what tarballs to use where for the debuild. To quote my original distro (<a href="https://distrowatch.com/table.php?distribution=korora">Korora</a>): "Standing on the shoulders of giants."</p> <h3>Conclusion</h3> <p>I can control my osc package with only one file in the obs source control: the _service file! This reduces the need to pass multiple assets, which can be large.</p> <h2>References</h2> <h3>Internet searches</h3> <p>How I actually found the main weblink <a href="https://duckduckgo.com/?q=open+build+service+services+recompress&amp;t=palemoon&amp;ia=web">open build service services recompress</a></p> <h3>Weblinks</h3> <p><a href="https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService#All_OBS_services_available">https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService#All_OBS_services_available</a></p>documentationlinksobshttps://bgstack15.ddns.net/blog/posts/2020/02/24/found-obs-service-documentation/Mon, 24 Feb 2020 14:20:04 GMTSudoers policyhttps://bgstack15.ddns.net/blog/posts/2018/12/27/sudoers-policy/bgstack15<h2>Summary of policy</h2> <ol> <li>Full sudo access will not be granted.</li> <li><strong>Sudo su</strong> (switch user) access will be granted to service accounts upon request.</li> <li>Sudo access to specific commands run as specific users is granted upon request.</li> <li><strong>Sudo chmod</strong> is unnecessary because the owning user can already chmod files.</li> <li><strong>Sudo chown</strong> will be granted when applied to specific directories.</li> </ol> <h2>Annotated policy</h2> <ol> <li>Full sudo access will not be granted, with exceptions granted only by the Linux Engineering team. <ol> <li>Full sudo is what is assumed when users ask for "sudo access" without any qualifiers. Users may not mean this; they might mean sudo su $SHAREDACCOUNT but this cannot be assumed. Requests should be explicit as to what user they should run as, and what commands to run.</li> <li>Exceptions will be granted for development/sandbox environments as approved by the Linux Engineering team.</li> </ol> </li> <li> <p><strong>Sudo su</strong> (switch user) access will be granted to service accounts as requested through PARs and approved by the Linux Engineering team. </p> <ol> <li>Normal access to servers is through individual user accounts, who then switch user to a shared account to manage files and services. Some teams connect directly as a shared account which is not recommended but outside the scope of this policy.</li> <li>Usage of sudo to switch user, when using rules like the example below, include these commands: <pre class="code literal-block"><span></span><code> sudo su - apache </code></pre> <p>sudo su apache sudo -i apache sudo -su apache</p> </li> </ol> </li> <li> <p>Sudo access to specific commands run as specific users is granted as requested through PARs and approved by the Linux Engineering team. </p> <ol> <li>Perhaps not shells are needed, but just specific commands run as a different user. Switching users to an interactive shell is normal activity.</li> </ol> </li> <li><strong>Sudo chmod</strong> is unnecessary because the owning user can already chmod files. <ol> <li>A user should not run chmod against files that are not his because this is an unacceptable escalation of privilege.</li> </ol> </li> <li> <p><strong>Sudo chown</strong> will be granted when applied to specific directories. </p> <ol> <li>If sudo chown * were to be granted, the user could take over system files and is not permissible.</li> <li>Permissible options involve a specific directory name, with the recursive flag.</li> </ol> <p>[appdeployer ~]$ sudo chown -R appdeployer.appdeployer /opt/appdeployer/v5</p> </li> </ol> <p>The entry in sudoers:</p> <pre class="code literal-block"><span></span><code>appdeployer hostname = (root) /bin/chown -R appdeployer.appdeployer /opt/appdeployer/v5, /usr/bin/chown -R appdeployer.appdeployer /opt/appdeployer/v5 </code></pre> <h2>Definitions</h2> <table> <thead> <tr> <th>Term</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>Full sudo</td> <td><strong>sudo su root</strong> or any other command that uses sudo to achieve a</td> </tr> <tr> <td>root shell</td> <td></td> </tr> <tr> <td>PAR</td> <td>Permission access request ticket</td> </tr> </tbody> </table> <h2>Example sudoers</h2> <h3>DB example</h3> <p>This is an example sudoers file.</p> <pre class="code literal-block"><span></span><code># file: /etc/sudoers.d/30_db_dbas_sudo # managed by ansible # last updated 2018-12-10 20:11Z User_Alias DBUSERS = %db_dbas, !db Host_Alias DBHOSTS = l*dbr*, l*dbr*.ad.example.com, l*dbr*.ipa.example.com Host_Alias DBHOSTS_DEV = l2*dbr*, l2*dbr*.ad.example.com, l2*dbr*.ipa.example.com Cmnd_Alias BECOME_CMNDS = /bin/su - db, /bin/su db Cmnd_Alias DBCMNDS = /bin/ls, /bin/ps Cmnd_Alias DBCMNDS_DEV = ALL # Users may switch to shared local user Defaults:DBUSERS !authenticate DBUSERS DBHOSTS = (root) BECOME_CMNDS DBUSERS DBHOSTS = (db) ALL # Local user may run these commands Defaults: db !authenticate db DBHOSTS = (root) DBCMNDS db DBHOSTS_DEV = (root) DBCMNDS_DEV </code></pre> <h3>Webstats example</h3> <p>Another example</p> <pre class="code literal-block"><span></span><code><span class="c1"># file: /etc/sudoers.d/60_webstats</span> <span class="c1"># managed by ansible</span> <span class="c1"># last updated 2019-01-29T13:12Z</span> <span class="n">User_Alias</span> <span class="n">WEBSTATSUSERS</span> <span class="o">=</span> <span class="o">%</span><span class="n">webstats_linux</span><span class="err">@</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">Host_Alias</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="n">webstats1</span><span class="o">*</span><span class="p">,</span><span class="n">webstats1</span><span class="o">*.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">Cmnd_Alias</span> <span class="n">WEBSTATSCMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="o">-</span> <span class="n">htdocs</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="n">htdocs</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">top</span> <span class="o">*</span> <span class="n">Cmnd_Alias</span> <span class="n">NGINX_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">nginx</span> <span class="n">Cmnd_Alias</span> <span class="n">PHP_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span> <span class="n">Cmnd_Alias</span> <span class="n">EXTRA_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">top</span> <span class="o">*</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">wsprodapp</span><span class="o">-</span><span class="n">permissions</span><span class="o">.</span><span class="n">sh</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">daemon</span><span class="o">-</span><span class="n">reload</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="n">htdocs</span><span class="o">.</span><span class="n">htdocs</span> <span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">wsprodapp</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">chmod</span> <span class="o">-</span><span class="n">R</span> <span class="n">u</span><span class="o">+</span><span class="n">rwX</span>\<span class="p">,</span><span class="n">g</span><span class="o">+</span><span class="n">rwX</span> <span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">wsprodapp</span> <span class="n">Cmnd_Alias</span> <span class="n">HTDOCSCMNDS</span> <span class="o">=</span> <span class="n">NGINX_CMNDS</span><span class="p">,</span> <span class="n">PHP_CMNDS</span><span class="p">,</span> <span class="n">EXTRA_CMNDS</span> <span class="c1"># Users may switch to htdocs</span> <span class="n">WEBSTATSUSERS</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">WEBSTATSCMNDS</span> <span class="n">WEBSTATSUSERS</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">htdocs</span><span class="p">)</span> <span class="n">ALL</span> <span class="c1"># htdocs may run these commands</span> <span class="n">Defaults</span><span class="p">:</span><span class="n">htdocs</span> <span class="o">!</span><span class="n">authenticate</span> <span class="n">htdocs</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">HTDOCSCMNDS</span> <span class="n">User_Alias</span> <span class="n">KUBUSERS</span> <span class="o">=</span> <span class="o">%</span><span class="n">container_sudoers</span><span class="err">@</span><span class="n">AD</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">,</span> <span class="o">%</span><span class="n">containers</span> <span class="n">Runas_Alias</span> <span class="n">KUBRUNAS</span> <span class="o">=</span> <span class="n">root</span><span class="p">,</span> <span class="n">containers</span> <span class="n">Host_Alias</span> <span class="n">KUBHOSTS</span> <span class="o">=</span> <span class="n">k8s</span><span class="o">*</span><span class="p">,</span><span class="n">k8s</span><span class="o">*.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">Cmnd_Alias</span> <span class="n">KUBCMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">docker</span> <span class="o">*</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">daemon</span><span class="o">-</span><span class="n">reload</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="n">containers</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="o">-</span> <span class="n">containers</span> <span class="n">KUBUSERS</span> <span class="n">KUBHOSTS</span><span class="o">=</span><span class="p">(</span><span class="n">KUBRUNAS</span><span class="p">)</span> <span class="n">NOPASSWD</span><span class="p">:</span> <span class="n">KUBCMNDS</span> </code></pre> <h3>Full sudo</h3> <p>If the Linux Engineering team grants full sudo access, it can be done in this way.</p> <pre class="code literal-block"><span></span><code># <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">is</span> <span class="k">for</span> <span class="nv">Full</span> <span class="nv">Sudoers</span> <span class="nv">User_Alias</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="o">=</span> <span class="o">%</span><span class="nv">appgroup1</span>, <span class="o">%</span><span class="nv">appgroup2</span> <span class="nv">Host_Alias</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="nv">rundeck</span><span class="o">*</span>, <span class="nv">rundeck</span><span class="o">*</span>.<span class="nv">example</span>.<span class="nv">com</span> <span class="nv">Cmnd_Alias</span> <span class="nv">FS_RUNDECK_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span>, <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span> <span class="o">-</span> <span class="nv">root</span>, <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span> <span class="o">-</span> <span class="nv">Runas_Alias</span> <span class="nv">FS_RUNDECK_RUNAS</span> <span class="o">=</span> <span class="nv">root</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="ss">(</span><span class="nv">root</span><span class="ss">)</span> <span class="nv">FS_RUNDECK_CMNDS</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="ss">(</span><span class="nv">FS_RUNDECK_RUNAS</span><span class="ss">)</span> <span class="nv">ALL</span> </code></pre> <h2>Guidelines for sudoers.d/ filenames</h2> <p>Best practice for sudoers.d/ files is to have them sorted numerically. The company uses number ranges between 00 and 99.</p> <pre class="code literal-block"><span></span><code><span class="mf">10</span><span class="n">_low_level_sudo</span> <span class="mf">20</span><span class="n">_linux_admins_sudo</span> <span class="mf">60</span><span class="n">_application_group_sudo</span> </code></pre>documentationsudohttps://bgstack15.ddns.net/blog/posts/2018/12/27/sudoers-policy/Thu, 27 Dec 2018 13:41:50 GMT