Add a user to the sudoers

stephdl · June 11, 2017, 4:45pm

Honestly, add a user to the sudoers should be just a matter of a checkbox. At least it is the case with sme server

bwdjames · June 11, 2017, 6:22pm

I agree @stephdl

giacomo · June 12, 2017, 7:09am

What would you like to achieve?
Could you describe and example and usage scenario?

Since is the first time I heard this request, I’d start with an howto rather adding new code.

/cc @bwdjames

bwdjames · June 12, 2017, 8:54am

Hi @giacomo,

Essentially there are some administrative tasks that temporarily require root access and logging in as root is not recommended from a security point of view, hence granting sudo access to specific users.

An easy to find HowTo for this would definitely be a real good starting point for this and it would be interesting to hear from the community as well how many feel the need or want to grant a specific user or users sudo access.

Although having a checkbox option to select on the user account information page would be nice for ease of use, I am unsure if that is a good idea or not, depending on how it gets used and if it opens the possibility of it being abused due to lack of understanding of the functionality or potentially political abuse of a boss who doesn’t have the required information demanding the privilege and then doing some damage (although I see this an a rare situation and rare occurance).
It would really depend on the business case for it and how many people think its something that would be of benefit. I know that I think it would be good to have, but then I’m biased based on the work I do.

stephdl · June 13, 2017, 5:42pm

thinking how to do it it is now more complicated with the end of the db accounts for users, while it is a common delegating task. In many case you might need to delegate the power of root.

giacomo · June 14, 2017, 6:48am

With sudo you can delegate some users to run specific commands (even with a list of valid parameters) with root privileges.

Correct if I’m wrong: you’re trying to give root access to a specific user, not to delegate some tasks with sudo.
In this case, giving the power to become root is a matter of adding a user to the wheel group.

This is the upstream doc: Chapter 6. Gaining Privileges | Red Hat Product Documentation

davidep · June 14, 2017, 7:31am

It is the correct procedure, but I’m afraid both CLI commands (i.e. usermod, lusermod, samba-tool) and the UI cannot add to wheel (a group defined by /etc/group) an user coming from LDAP or AD.

We could set (as opt-in) “domain admins” (or any other group in LDAP or AD) as a “wheel” equivalent, though. We have the admins key in configuration DB…

stephdl · June 14, 2017, 3:52pm

yes the purpose is to gain/delegate root access. Imagine I ssh a server to fix/search a bug, I might need privileged accesses and rights but momently, not forever

Ideally I prefer the sudo rights for a ‘baby’ administrator, you could hope that he’ll forget the sudo before to do ‘rm -rf /var/lib/nethserver’

bwdjames · June 14, 2017, 4:12pm

‘rm -rf /var/lib/nethserver’ is not as much fun as rm -rf /

stephdl · June 14, 2017, 4:13pm

Linux is an adult now…you cannot do it anymore…you need to give more arguments

Stefano_Zamboni · June 14, 2017, 4:34pm

Never understimate idiots

pike · June 14, 2017, 5:30pm

Or bad luck

bwdjames · June 14, 2017, 7:40pm

Or argue with them - they will drag you down to their level and beat you with experience…

giacomo · June 15, 2017, 7:08am

I agree, we could automatic five sudo access to admins.
Or, as an alternative, we can create an ad-hoc group.

@bwdjames you can solve your problem like this (not tested):

create a group powerusers in Users & Groups page
add one ore more user to the group
create a sudo file like this:

echo "%powerusers	ALL=(ALL)	ALL" > /etc/sudoers.d/90powerusers
chmod 440  /etc/sudoers.d/90powerusers

bwdjames · June 16, 2017, 8:50am

Will give it a try later this evening or tomorrow, schedule over booked last night and today

bwdjames · June 16, 2017, 8:27pm

@giacomo I can confirm that this works and is a very good solution to have in the documents somewhere.

giacomo · June 19, 2017, 11:52am

Should I add it to the developer manual or would you like to try to open a pull request on the readme file?

github.com

NethServer/nethserver-sssd/blob/master/README.rst

===============
nethserver-sssd
===============

This package implements authentication and user management layers.
Supported authentication providers are:

* OpenLDAP with POSIX attributes
* Samba or Windows Active Directory

It includes the following parts:

* SSSD configuration
* events for users and  groups management
* web interface for user management
* password policy management
* system validators for users and groups
* SSSD perl library to ease the implementation of e-smith templates

This file has been truncated. show original

stephdl · June 19, 2017, 7:31pm

just my 2C question. Is it possible to get a sudo group, created by the rpm, and add users when it is needed in this group. An automatic task is interesting, a RTFM solution could be quite boring

giacomo · June 20, 2017, 7:10am

This is not possible on NS 7 because you don’t know where accounts are stored, locally on a LDAP or even on a remote Microsoft Active Directory.

pike · June 21, 2017, 1:01pm

So “root” account for management is not member of groups?