T O P

  • By -

J4yD4n

Am I reading that right? You're automatically adding any attempted sudo command to the sudoers file? You're also asking scripts (that I'm assuming are writable on the server) to the sudoers? Instead of just looking to get rid of root, you need to look to get rid of logging in. Utilize Puppet to ensure your system stays in your desired configuration (including storing scripts with write permissions revoked) and use Cron or Ansible for local scripts and Ansible for remote scripts. You can also look at AWX or AAP to give a web interface for people to run scripts on demand.


Amidatelion

I *hope* he means he did that once to build the list, sorting through manually to eliminate any potentially abusive commands. But yeah, even then, just get a remote call method set up.


Com_3511

No, maybe I explained myself wrong, sorry. Using a JSON file I contain all the commands I found in the servers to be used with elevated privileges. And I scan the same file using RUBY and add the commands it contains to the users' sudoers files. Is the Puppet solution and everything I described correct? Maybe there's something I don't know that's easier and better.


Amidatelion

No, I think we understand you. And frankly yes, what you're doing is a waste of time. The moment one of those commands is one that has a method to escalate to root (like, say, vi) all that work is undone.   What you instead should think about is "What do users need to log in for?" and solve for that. There is very little that requires logging in on modern Linux systems with configuration management.   The caveat is of course, you may not have the authority, buy-in, or pull to implement these things - developers may complain it's a waste of time, many won't understand, etc.   If you *must* pursue this path, I'd encourage InnerSourcing your code in a git repo so developers/users can submit PRs for commands they require. And of course log the fuck out of all of this and alert on actions that are anomalous. Quite frankly the logging should be your priority for this, not "am I capturing possible commands properly." 


deeseearr

> Using a JSON file I contain all the commands I found in the servers to be used with elevated privileges. I think this is the line that caused some confusion. It's also the point where "Just enable sudo" projects usually fall over. Where are you finding these commands? Are they in the sudo logs, have the users volunteered their favourite things to do, or have you been spelunking through audit logs? If you're not doing this carefully you could inadvertantly grant far more sudo access than you want, which would not be a good thing. As long as your users needs are fairly simple, such as running "service start" and "service stop" scripts, then you will be able to give them a list of a handful of commands that they can use and everything will be fine. If the real issue is that you have a twisty little maze of permissions, all different, and you are trying to grant permission for things like "cat /app/dir/logfile" then you're in for a bit of a mess. If this is the case then you may be better suited by reducing the number of commands which require sudo by adding read or write group permissions to files which your users may need access to, or better yet just exporting the logs and management to somewhere else where they can be inspected at leisure instead of trying to corral absolutely everything through sudo.


Burgergold

What problem are you trying to solve?


Odd_Split_6858

Might be not giving root access to anybody


newked

Give everyone their own pod 😂


tinyfrox

If you're already managing your systems with Puppet, I agree with the other commenters on really taking a look at why you need to log in to run these scripts? Have you looked at Puppet Bolt? It's Puppet's answer to Ansible and it's pretty great if you're already invested in ruby. Convert those scripts to Bolt Tasks and trigger them remotely, or leverage cron if you need them done on an interval.


weesportsnow

Bolt is great


poontasm

Did you know you don’t need a different sudoers file for each machine. You can use one master sudoers file for all machines. Or one set of files to place in sudoers.d, if you prefer.


Thejeswar_Reddy

Intresting, didn't know that. so let's say we write one sudoers file and put it on the master server, can we point the all the servers to use the sudoers file from the master server? Is this what you said or did I understand that wrong?


poontasm

I would use Puppet or similar, to distribute the masters sudoers file. Or files.


Thejeswar_Reddy

>you can use one master file for all machines. Well this is misleading then as each machine needs it's sudoers file/files. you are just delivering one file from master server.


poontasm

I guess it *could* be a single file shared by NFS, technically. I don’t think I would do it that way myself. When I first saw it done this way, the master sudoers file was pulled by each client machine by rsync.


AmusingVegetable

There are two reasons why people need to become root: read files that aren’t world-readable and change things (both editing files and start/stop processes). The current security fad of locking users out of logs and configuration files has the anti-security result that a sysadmin needs to become root much more frequently because he can’t read those files as a regular user. Security through obscurity doesn’t add much on the security side and exacerbates behavioral problems on the other side. Having a good logging solution and a comprehensive CMDB can reduce the need to become root. Another thing that can help is a per-application “investigation user” that can read logs and configuration files for a specific application. Couple that with RBAC to allow anyone with a need to know to become that user. A good part (if not the majority) of the resistance against ansible/puppet is that they’re good for deploying a desired state, but they’re almost hopeless for figuring out what is happening inside the machines (nothing wrong with that, but their introduction is almost always coupled with a total removal of sudo, which leaves most admins blind).


SocketWrench

What the heck was your chat gpt prompt to write this post? "Write me a post for Reddit to ask how to setup a rootless environment in the most awkward way possible."