https://bgstack15.ddns.net/blog/enContents © 2024 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Tue, 15 Oct 2024 13:15:34 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://bgstack15.ddns.net/blog/posts/2024/10/15/gksu-turn-warning-back-on/bgstack15<h2>Problem</h2> <p>Gksu (yes, the <a href="https://bgstack15.ddns.net/blog/outbound/https:/www.linuxuprising.com/2018/04/gksu-removed-from-ubuntu-heres.html">long-gone program</a> throws a notice message if you have sudo NOPASSWD access, indicating you were able to do this operation without a password/authentication. And if you check the box to hide this notice in the future, you won't ever see again.</p> <h2>Solution</h2> <p>Use <code>gconftool-2</code> to control it. Apparently the gksu uses the slightly-less-deprecated <code>gconf</code> idea (binary registry, sounds familiar? And now replaced with dconf which is different somehow?).</p> <p>Show the current status.</p> <div class="code"><pre class="code literal-block"><span class="n">gconftool</span><span class="o">-</span><span class="mi">2</span><span class="w"> </span><span class="o">--</span><span class="n">get</span><span class="w"> </span><span class="o">/</span><span class="n">apps</span><span class="o">/</span><span class="n">gksu</span><span class="o">/</span><span class="n">display</span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="k">pass</span><span class="o">-</span><span class="n">info</span><span class="w"></span> </pre></div> <p>Turn the warnings back on.</p> <div class="code"><pre class="code literal-block"><span class="w"> </span><span class="n">gconftool</span><span class="o">-</span><span class="mi">2</span><span class="w"> </span><span class="o">--</span><span class="n">set</span><span class="w"> </span><span class="o">/</span><span class="n">apps</span><span class="o">/</span><span class="n">gksu</span><span class="o">/</span><span class="n">display</span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="k">pass</span><span class="o">-</span><span class="n">info</span><span class="w"> </span><span class="o">--</span><span class="n">type</span><span class="w"> </span><span class="n">boolean</span><span class="w"> </span><span class="bp">true</span><span class="w"></span> </pre></div> <h2>Backstory</h2> <p>I was checking on one of my favorite utilities, <a href="https://bgstack15.ddns.net/blog/outbound/https:/github.com/gapan/xdgmenumaker">xdgmenumaker</a>, and it is authored by a guy named <em>gapan</em>. Well, one of his other pinned repositories is <a href="https://bgstack15.ddns.net/blog/outbound/https:/github.com/gapan/salixtools-gtk">salixtools-gtk</a>, which had a nifty user management program. I was setting up a system for an offsite user who will have to manage local users, and I found salixtools-gtk's <a href="https://bgstack15.ddns.net/blog/outbound/https:/github.com/gapan/salixtools-gtk/tree/master/gtkusersetup">gtkusersetup</a> program really nice.</p> <p>I learned that it takes a user with access to <code>/etc/shadow</code> so either a member of <a href="https://bgstack15.ddns.net/blog/outbound/https:/wiki.debian.org/SystemGroups">Debian group <code>shadow</code></a>, or some <a href="https://bgstack15.ddns.net/blog/posts/2018/02/05/notes-about-set-gid-and-sticky-bits-for-directories/">setgid</a> business, or sudo. Or, as the .desktop file for that project suggets, <code>gksu</code>. Which I had forgotten about; I don't normally use root functions from a graphical environment so hadn't needed it. But of course all good things must have ended before I came around, because now "they" want you to use policykit or other loennart-level dumb things.</p> <p>I got really scared when I couldn't find a <code>~/.config</code> file for gksu anywhere. Come to find out it's buried in some binary thingy (worse than the xfce4 xml files that only update upon a normal exiting of xfce4) that you can't just use Unixy tools to control. I forget exactly how I learned it was gconf. I think I used strace to read what it was doing or maybe got lucky examining other possible places on my $HOME filesystem. I shouldn't have to search so hard.</p>gksususudox11https://bgstack15.ddns.net/blog/posts/2024/10/15/gksu-turn-warning-back-on/Tue, 15 Oct 2024 13:13:00 GMThttps://bgstack15.ddns.net/blog/posts/2024/04/07/ipa-sudorule-all-users-mount-av/bgstack15<p>This rule demonstrates the users category "all" which is deceptively on the sudorule-mod command and not add-user one.</p> <p>I want my users to be able to get to <code>/mnt/public</code> and some systems (on wireless networks) wait for the user session to start before mounting /mnt/public. And sometimes the autofs daemon is misbehaving, so <code>/net/public</code> (which mounts the same nfs export) isn't always available. Sometimes I just want to run <code>sudo mount -av</code>. If something shouldn't be mounted with that, then use flag <code>noauto</code> in <code>/etc/fstab</code>, but I have decided anything in <code>/etc/fstab</code> is allowed to be mounted by all users.</p> <div class="code"><pre class="code literal-block">ipa sudorule-add "all-users-mount-av" ipa sudorule-add-host "all-users-mount-av" --hostcat="all" ipa sudorule-mod "all-users-mount-av" --usercat="all" ipa sudorule-add-runasuser "all-users-mount-av" --users 'root' ipa sudocmd-add --desc="mount -av" "/usr/bin/mount -av" ipa sudorule-add-allow-command "all-users-mount-av" --sudocmds "/usr/bin/mount -av" ipa sudorule-add-option "all-users-mount-av" --sudooption '!authenticate' ipa sudorule-mod "all-users-mount-av" --desc="all users may run mount -av on any system" </pre></div> <p>And now a random user can run the comand I've been needing for months!</p> <div class="code"><pre class="code literal-block">$ sudo -l -U user1 Matching Defaults entries <span class="k">for</span> public on server8: env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin, use_pty, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">"ftp_proxy http_proxy https_proxy no_proxy"</span>, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">"FTP_PROXY HTTP_PROXY HTTPS_PROXY NO_PROXY"</span>, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">"DEBUG DEBUG_LEVEL DRYRUN VERBOSE"</span>, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">"DRYRUN VERBOSE"</span>, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">"DRYRUN VERBOSE MYA_PREFIX</span> <span class="s2"> DEBUG AUTOMOUNT_USER"</span> User user1 may run the following commands on server8: <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/mount -av </pre></div> <p>Hm, maybe I should clean up the duplicate DRYRUN, VERBOSE flags. Ah well, different problem for a different day.</p>clifreeipasudohttps://bgstack15.ddns.net/blog/posts/2024/04/07/ipa-sudorule-all-users-mount-av/Sun, 07 Apr 2024 13:00:10 GMThttps://bgstack15.ddns.net/blog/posts/2022/06/10/ipa-sudorule-all-commands/bgstack15<p>It was not the most clear to me how to write a sudo rule with "ALL" as the command set. I'm sure this was documented somewhere offline or on the Internet. Here's my cheat sheet for next time.</p> <p>To grant user3 access to full sudo access on host server2:</p> <pre class="code literal-block"><span></span><code>ipa sudorule-add 'user3-server2-root' ipa sudorule-add-host 'user3-server2-root' --hosts server2 ipa sudorule-add-user 'user3-server2-root' --users 'user3' ipa sudorule-add-runasuser 'user3-server2-root' --users 'root' ipa sudorule-mod 'user3-server2-root' --cmdcat='all' ipa sudorule-add-option 'user3-server2-root' --sudooption '!authenticate' </code></pre> <p>The big deal is the <code>--cmdcat</code> which is short for command category. So instead of listing specific commands, it is the "ALL" equivalent.</p>clifreeipasudohttps://bgstack15.ddns.net/blog/posts/2022/06/10/ipa-sudorule-all-commands/Fri, 10 Jun 2022 13:07:58 GMThttps://bgstack15.ddns.net/blog/posts/2018/12/27/sudoers-policy/bgstack15<h2>Summary of policy</h2> <ol> <li>Full sudo access will not be granted.</li> <li><strong>Sudo su</strong> (switch user) access will be granted to service accounts upon request.</li> <li>Sudo access to specific commands run as specific users is granted upon request.</li> <li><strong>Sudo chmod</strong> is unnecessary because the owning user can already chmod files.</li> <li><strong>Sudo chown</strong> will be granted when applied to specific directories.</li> </ol> <h2>Annotated policy</h2> <ol> <li>Full sudo access will not be granted, with exceptions granted only by the Linux Engineering team. <ol> <li>Full sudo is what is assumed when users ask for "sudo access" without any qualifiers. Users may not mean this; they might mean sudo su $SHAREDACCOUNT but this cannot be assumed. Requests should be explicit as to what user they should run as, and what commands to run.</li> <li>Exceptions will be granted for development/sandbox environments as approved by the Linux Engineering team.</li> </ol> </li> <li> <p><strong>Sudo su</strong> (switch user) access will be granted to service accounts as requested through PARs and approved by the Linux Engineering team. </p> <ol> <li>Normal access to servers is through individual user accounts, who then switch user to a shared account to manage files and services. Some teams connect directly as a shared account which is not recommended but outside the scope of this policy.</li> <li>Usage of sudo to switch user, when using rules like the example below, include these commands: <pre class="code literal-block"><span></span><code> sudo su - apache </code></pre> <p>sudo su apache sudo -i apache sudo -su apache</p> </li> </ol> </li> <li> <p>Sudo access to specific commands run as specific users is granted as requested through PARs and approved by the Linux Engineering team. </p> <ol> <li>Perhaps not shells are needed, but just specific commands run as a different user. Switching users to an interactive shell is normal activity.</li> </ol> </li> <li><strong>Sudo chmod</strong> is unnecessary because the owning user can already chmod files. <ol> <li>A user should not run chmod against files that are not his because this is an unacceptable escalation of privilege.</li> </ol> </li> <li> <p><strong>Sudo chown</strong> will be granted when applied to specific directories. </p> <ol> <li>If sudo chown * were to be granted, the user could take over system files and is not permissible.</li> <li>Permissible options involve a specific directory name, with the recursive flag.</li> </ol> <p>[appdeployer ~]$ sudo chown -R appdeployer.appdeployer /opt/appdeployer/v5</p> </li> </ol> <p>The entry in sudoers:</p> <pre class="code literal-block"><span></span><code>appdeployer hostname = (root) /bin/chown -R appdeployer.appdeployer /opt/appdeployer/v5, /usr/bin/chown -R appdeployer.appdeployer /opt/appdeployer/v5 </code></pre> <h2>Definitions</h2> <table> <thead> <tr> <th>Term</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>Full sudo</td> <td><strong>sudo su root</strong> or any other command that uses sudo to achieve a</td> </tr> <tr> <td>root shell</td> <td></td> </tr> <tr> <td>PAR</td> <td>Permission access request ticket</td> </tr> </tbody> </table> <h2>Example sudoers</h2> <h3>DB example</h3> <p>This is an example sudoers file.</p> <pre class="code literal-block"><span></span><code># file: /etc/sudoers.d/30_db_dbas_sudo # managed by ansible # last updated 2018-12-10 20:11Z User_Alias DBUSERS = %db_dbas, !db Host_Alias DBHOSTS = l*dbr*, l*dbr*.ad.example.com, l*dbr*.ipa.example.com Host_Alias DBHOSTS_DEV = l2*dbr*, l2*dbr*.ad.example.com, l2*dbr*.ipa.example.com Cmnd_Alias BECOME_CMNDS = /bin/su - db, /bin/su db Cmnd_Alias DBCMNDS = /bin/ls, /bin/ps Cmnd_Alias DBCMNDS_DEV = ALL # Users may switch to shared local user Defaults:DBUSERS !authenticate DBUSERS DBHOSTS = (root) BECOME_CMNDS DBUSERS DBHOSTS = (db) ALL # Local user may run these commands Defaults: db !authenticate db DBHOSTS = (root) DBCMNDS db DBHOSTS_DEV = (root) DBCMNDS_DEV </code></pre> <h3>Webstats example</h3> <p>Another example</p> <pre class="code literal-block"><span></span><code><span class="c1"># file: /etc/sudoers.d/60_webstats</span> <span class="c1"># managed by ansible</span> <span class="c1"># last updated 2019-01-29T13:12Z</span> <span class="n">User_Alias</span> <span class="n">WEBSTATSUSERS</span> <span class="o">=</span> <span class="o">%</span><span class="n">webstats_linux</span><span class="err">@</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">Host_Alias</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="n">webstats1</span><span class="o">*</span><span class="p">,</span><span class="n">webstats1</span><span class="o">*.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">Cmnd_Alias</span> <span class="n">WEBSTATSCMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="o">-</span> <span class="n">htdocs</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="n">htdocs</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">top</span> <span class="o">*</span> <span class="n">Cmnd_Alias</span> <span class="n">NGINX_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">nginx</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">nginx</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">nginx</span> <span class="n">Cmnd_Alias</span> <span class="n">PHP_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">php56</span><span class="o">-</span><span class="n">php</span><span class="o">-</span><span class="n">fpm</span> <span class="n">Cmnd_Alias</span> <span class="n">EXTRA_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">top</span> <span class="o">*</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">wsprodapp</span><span class="o">-</span><span class="n">permissions</span><span class="o">.</span><span class="n">sh</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">daemon</span><span class="o">-</span><span class="n">reload</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="n">htdocs</span><span class="o">.</span><span class="n">htdocs</span> <span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">wsprodapp</span><span class="p">,</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">chmod</span> <span class="o">-</span><span class="n">R</span> <span class="n">u</span><span class="o">+</span><span class="n">rwX</span>\<span class="p">,</span><span class="n">g</span><span class="o">+</span><span class="n">rwX</span> <span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">wsprodapp</span> <span class="n">Cmnd_Alias</span> <span class="n">HTDOCSCMNDS</span> <span class="o">=</span> <span class="n">NGINX_CMNDS</span><span class="p">,</span> <span class="n">PHP_CMNDS</span><span class="p">,</span> <span class="n">EXTRA_CMNDS</span> <span class="c1"># Users may switch to htdocs</span> <span class="n">WEBSTATSUSERS</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">WEBSTATSCMNDS</span> <span class="n">WEBSTATSUSERS</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">htdocs</span><span class="p">)</span> <span class="n">ALL</span> <span class="c1"># htdocs may run these commands</span> <span class="n">Defaults</span><span class="p">:</span><span class="n">htdocs</span> <span class="o">!</span><span class="n">authenticate</span> <span class="n">htdocs</span> <span class="n">WEBSTATSHOSTS</span> <span class="o">=</span> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">HTDOCSCMNDS</span> <span class="n">User_Alias</span> <span class="n">KUBUSERS</span> <span class="o">=</span> <span class="o">%</span><span class="n">container_sudoers</span><span class="err">@</span><span class="n">AD</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">,</span> <span class="o">%</span><span class="n">containers</span> <span class="n">Runas_Alias</span> <span class="n">KUBRUNAS</span> <span class="o">=</span> <span class="n">root</span><span class="p">,</span> <span class="n">containers</span> <span class="n">Host_Alias</span> <span class="n">KUBHOSTS</span> <span class="o">=</span> <span class="n">k8s</span><span class="o">*</span><span class="p">,</span><span class="n">k8s</span><span class="o">*.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">Cmnd_Alias</span> <span class="n">KUBCMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">docker</span> <span class="o">*</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">start</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">stop</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">reload</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">enable</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">disable</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">status</span> <span class="n">docker</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">systemctl</span> <span class="n">daemon</span><span class="o">-</span><span class="n">reload</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="n">containers</span><span class="p">,</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">su</span> <span class="o">-</span> <span class="n">containers</span> <span class="n">KUBUSERS</span> <span class="n">KUBHOSTS</span><span class="o">=</span><span class="p">(</span><span class="n">KUBRUNAS</span><span class="p">)</span> <span class="n">NOPASSWD</span><span class="p">:</span> <span class="n">KUBCMNDS</span> </code></pre> <h3>Full sudo</h3> <p>If the Linux Engineering team grants full sudo access, it can be done in this way.</p> <pre class="code literal-block"><span></span><code># <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">is</span> <span class="k">for</span> <span class="nv">Full</span> <span class="nv">Sudoers</span> <span class="nv">User_Alias</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="o">=</span> <span class="o">%</span><span class="nv">appgroup1</span>, <span class="o">%</span><span class="nv">appgroup2</span> <span class="nv">Host_Alias</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="nv">rundeck</span><span class="o">*</span>, <span class="nv">rundeck</span><span class="o">*</span>.<span class="nv">example</span>.<span class="nv">com</span> <span class="nv">Cmnd_Alias</span> <span class="nv">FS_RUNDECK_CMNDS</span> <span class="o">=</span> <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span>, <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span> <span class="o">-</span> <span class="nv">root</span>, <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">su</span> <span class="o">-</span> <span class="nv">Runas_Alias</span> <span class="nv">FS_RUNDECK_RUNAS</span> <span class="o">=</span> <span class="nv">root</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="ss">(</span><span class="nv">root</span><span class="ss">)</span> <span class="nv">FS_RUNDECK_CMNDS</span> <span class="nv">FS_RUNDECK_USERS</span> <span class="nv">FS_RUNDECK_HOSTS</span> <span class="o">=</span> <span class="ss">(</span><span class="nv">FS_RUNDECK_RUNAS</span><span class="ss">)</span> <span class="nv">ALL</span> </code></pre> <h2>Guidelines for sudoers.d/ filenames</h2> <p>Best practice for sudoers.d/ files is to have them sorted numerically. The company uses number ranges between 00 and 99.</p> <pre class="code literal-block"><span></span><code><span class="mf">10</span><span class="n">_low_level_sudo</span> <span class="mf">20</span><span class="n">_linux_admins_sudo</span> <span class="mf">60</span><span class="n">_application_group_sudo</span> </code></pre>documentationsudohttps://bgstack15.ddns.net/blog/posts/2018/12/27/sudoers-policy/Thu, 27 Dec 2018 13:41:50 GMThttps://bgstack15.ddns.net/blog/posts/2017/10/28/audit-sudo-docker-usage/bgstack15<h2>tl;dr</h2> <pre class="code literal-block"><span></span><code><span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">"sudo:.*docker.*exec.*"</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">secure</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">vE</span> <span class="o">--</span> <span class="s2">"(-u|--user)"</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">"sudo:.*docker.*exec.*"</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">secure</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="o">--</span> <span class="s1">'(-u|--user)\s*root'</span> </code></pre> <h2>Explanation</h2> <p>One way to secure docker is to allow users to run it with sudo. Alternatively, you can add users to a group named "docker," but this doesn't provide the auditing that sudo has by default. So you can whip up a nice, neat little sudoers.d file similar to:</p> <pre class="code literal-block"><span></span><code><span class="n">User_Alias</span><span class="w"> </span><span class="n">CONT_POC_USERS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">%</span><span class="n">container_sudoers</span><span class="nv">@ADDOMAIN</span><span class="w"></span> <span class="n">Runas_Alias</span><span class="w"> </span><span class="n">CONT_POC_RUNAS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">root</span><span class="w"></span> <span class="n">Host_Alias</span><span class="w"> </span><span class="n">CONT_POC_HOSTS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cn</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="mi">5</span><span class="o">*</span><span class="p">,</span><span class="w"> </span><span class="n">cn</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="mi">5</span><span class="o">*</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">Cmnd_Alias</span><span class="w"> </span><span class="n">CONT_POC_CMNDS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">docker</span><span class="w"> </span><span class="o">*</span><span class="w"></span> <span class="n">CONT_POC_USERS</span><span class="w"> </span><span class="n">CONT_POC_HOSTS</span><span class="o">=</span><span class="p">(</span><span class="n">CONT_POC_RUNAS</span><span class="p">)</span><span class="w"> </span><span class="n">CONT_POC_CMNDS</span><span class="w"></span> </code></pre> <p>With a security posture where you will not allow anything to run in a container as root, you can audit compliance with a few regular expressions.</p> <pre class="code literal-block"><span></span><code><span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">"sudo:.*docker.*exec.*"</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">secure</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">vE</span> <span class="o">--</span> <span class="s2">"(-u|--user)"</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">"sudo:.*docker.*exec.*"</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">secure</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="o">--</span> <span class="s1">'(-u|--user)\s*root'</span> </code></pre> <p>I haven't figured out how to have the negative and positive searches in one string, so any input there would be appreciated! Also, I have not figured out how to actually enforce running the <strong>docker exec</strong> command only with a <strong>-u username</strong> flag, without writing a much more complicated whitelist of docker build <em>, docker commit </em>, docker container *, docker cp * et al statements which seems like a lot of work but might ultimately be necessary.</p>auditdockersecuritysudohttps://bgstack15.ddns.net/blog/posts/2017/10/28/audit-sudo-docker-usage/Sat, 28 Oct 2017 13:32:45 GMThttps://bgstack15.ddns.net/blog/posts/2017/10/23/find-used-files-in-etcsudoers-d/bgstack15<p>Sudo, when given the <strong>#includedir /etc/sudoers.d/</strong> directive, will read files in that directory. According to its <a href="https://www.sudo.ws/man/1.8.13/sudoers.man.html">man page</a>, it does not interpret files whose names include a dot or end with a tilde ~. You can list the files that are available for sudo to interpret with this statement:</p> <pre class="code literal-block"><span></span><code><span class="n">find</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">sudoers</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="w"> </span><span class="o">-</span><span class="k">type</span><span class="w"> </span><span class="n">f</span><span class="w"> </span><span class="o">!</span><span class="w"> </span><span class="o">-</span><span class="n">regex</span><span class="w"> </span><span class="p">'</span><span class="n">\/etc\/sudoers\.d\/.*\..*'</span><span class="w"> </span><span class="o">!</span><span class="w"> </span><span class="o">-</span><span class="n">regex</span><span class="w"> </span><span class="p">'</span><span class="n">\/etc\/sudoers\.d\/.*~'</span><span class="w"></span> </code></pre>configfilesfindonelinersudohttps://bgstack15.ddns.net/blog/posts/2017/10/23/find-used-files-in-etcsudoers-d/Mon, 23 Oct 2017 20:02:44 GMThttps://bgstack15.ddns.net/blog/posts/2016/11/01/sudoers-match-ad-group/bgstack15<h2>Using AD groups in sudoers</h2> <p>When you need to add an Active Directory group to the sudoers, you need to know a few things. I learned from the sudoers man page that alias names can only be in capital letters, numbers, and underscores. Also, when you use an AD group in a sudoers file (in my case, /etc/sudoers.d/70_web-dev_grp), you prepend the group name with a percent sign. Also, I'm pretty sure you need to have the casing of the group name exactly correct, but I haven't tested other casings and don't plan to. If you know anything about this, comment and let me know! <code>User_Alias WEBDEVGRP = %Web-dev_grp WEBDEVGRP ALL=(ALL) /sbin/apachectl</code></p> <h2>Reference</h2> <p><a href="http://serverfault.com/questions/436037/sudoers-file-allow-sudo-on-specific-%0Afile-for-active-directory-group/444875#444875">http://serverfault.com/questions/436037/sudoers-file-allow-sudo-on-specific- file-for-active-directory-group/444875#444875</a></p>configsudohttps://bgstack15.ddns.net/blog/posts/2016/11/01/sudoers-match-ad-group/Tue, 01 Nov 2016 15:12:40 GMThttps://bgstack15.ddns.net/blog/posts/2016/06/06/solve-sudo-sending-useless-emails-problem-with-defaults-entries/bgstack15<h2>sudo problem with defaults entries</h2> <p>I ran into a problem on my Ubuntu 16.04 Server LTS instance. Whenever a user (whether sssd-ad authenticated user, or local user, or root) uses sudo, it works. But it also sends the administrator a useless email:</p> <pre class="code literal-block"><span></span><code><span class="nt">host1</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">com</span> <span class="o">:</span> <span class="nt">Jun</span> <span class="nt">6</span> <span class="nt">14</span><span class="p">:</span><span class="nd">40</span><span class="p">:</span><span class="nd">44</span> <span class="o">:</span> <span class="nt">root</span> <span class="o">:</span> <span class="nt">problem</span> <span class="nt">with</span> <span class="nt">defaults</span> <span class="nt">entries</span> <span class="o">;</span> <span class="nt">TTY</span><span class="o">=</span><span class="nt">pts</span><span class="o">/</span><span class="nt">2</span> <span class="o">;</span> <span class="nt">PWD</span><span class="o">=/</span><span class="nt">root</span> <span class="o">;</span> </code></pre> <p>I started removing the defaults entries in /etc/sudoers (using the visudo) command one by one, but after removing them all it still sent the annoying emails. Here are the defaults I was working from:</p> <pre class="code literal-block"><span></span><code>Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" </code></pre> <h2><strong>How do I make sudo stop sending me useless emails?</strong></h2> <p>This problem is caused by sudo looking for directives in a place it cannot find them: sss. Check the <strong>/etc/nsswitch.conf</strong> file and modify the sudoers entry.</p> <pre class="code literal-block"><span></span><code><span class="n">sudoers</span><span class="o">:</span> <span class="n">files</span> <span class="o">**</span><span class="n">sss</span><span class="o">**</span> </code></pre> <p>The <strong>sss</strong> should not be there. The sssd-ad package adds itself there, but very few environments store sudoers directives in sss. It's far more likely your directives are local, so you should have a /etc/nsswitch file entry like the following:</p> <pre class="code literal-block"><span></span><code><span class="n">sudoers</span><span class="o">:</span> <span class="n">files</span> </code></pre> <h2>References</h2> <p>A user of RHEL6 had the same issue. https://bugzilla.redhat.com/show_bug.cgi?id=879633 The issue is solvable, including on Ubuntu 16.04 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1249777</p>linuxsudohttps://bgstack15.ddns.net/blog/posts/2016/06/06/solve-sudo-sending-useless-emails-problem-with-defaults-entries/Mon, 06 Jun 2016 19:34:32 GMT