Sudoers Meryll Larkin - that's me Why you are here: You do this at work or want to General curiosity - want to learn Your first choice workshop was full To heckle Any burning questions you need answered? I'll make sure to get to them.
Sudoers Examples and discussion style workshop I've seen some bad sudoers files and I know how to do better, but I'm not an “expert” - ok for you to help/suggest Why do we need to write good sudoers files? Your ideas, Examples and analysis/critiques
Why Sudoers What do we do if we don't use sudoers? What role does sudoers play in security? Most common form of bad sudoers?
Sudo Aptonym Linux developers knew commands were hard to remember so they tried to make them memorable. Pseudo - masquerading as someone else SU - do = What the SuperUser does
Wheel Group What is the wheel group and how is it used? What is the gid of the wheel group? Does it have to be the “wheel” group?
How to think about Sudo Specify what a user or group CAN do Set limits as to what a user or group CAN'T do (trickier): Because there are so many way to accomplish something in Linux. CLI examples here. Why we would want to do those things
Discuss Assorted Sudo Strategies Per-administrator, additional admin accounts: nuhura, nuhura_adm Shared accounts for shared work root does not have ssh permission, but you need to run remote scripts with root authority difference between su and su - if you can become root, you can become any login.
Writing Sudoers Rules Permissions on /etc/sudoers file aliases & privilege specs in sudoers 4 types of aliases User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias. Default for each alias type what is /etc/sudoers.d/ ?
Writing Sudoer Rules, More principle of least privilege: This is a User Spec (privilege) template: User Host = Command(s) [: Hosts = Cmnd_Spec_List *] Commands (and command Cmnd_Spec_Lists) can be single commands (absolute path is best) or a comma separated list. Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Writing Sudoer Rules, More 2 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
Developing Rules & Testing TRY IT!!!! Become an unprivileged user, see if you can do your work. Deputize a dev to show you exactly the steps she takes. Don't test on production machines! Test what you DON'T want to happen as well as what you do!
sudo dangers “elevation of privileges” show them unintentional file deletion or alteration one strategy: greatly restrict who has sudo on Production systems. Allow more sudo access on Dev, Test, and/or Staging hosts.
Sudoers, End Thanks for your attention and especially your participation! I created a few scripts so to give you a “sample set” of users so you can try out permissions and how they work on your own laptop or test machine. They should found in the same place where you downloaded this presentation. Happy hacking!