Add a user to the sudoers

Honestly, add a user to the sudoers should be just a matter of a checkbox. At least it is the case with sme server

1 Like

I agree @stephdl

What would you like to achieve?
Could you describe and example and usage scenario?

Since is the first time I heard this request, I’d start with an howto rather adding new code.

/cc @bwdjames

Hi @giacomo,

Essentially there are some administrative tasks that temporarily require root access and logging in as root is not recommended from a security point of view, hence granting sudo access to specific users.

An easy to find HowTo for this would definitely be a real good starting point for this and it would be interesting to hear from the community as well how many feel the need or want to grant a specific user or users sudo access.

Although having a checkbox option to select on the user account information page would be nice for ease of use, I am unsure if that is a good idea or not, depending on how it gets used and if it opens the possibility of it being abused due to lack of understanding of the functionality or potentially political abuse of a boss who doesn’t have the required information demanding the privilege and then doing some damage (although I see this an a rare situation and rare occurance).
It would really depend on the business case for it and how many people think its something that would be of benefit. I know that I think it would be good to have, but then I’m biased based on the work I do.

1 Like

thinking how to do it it is now more complicated with the end of the db accounts for users, while it is a common delegating task. In many case you might need to delegate the power of root.

With sudo you can delegate some users to run specific commands (even with a list of valid parameters) with root privileges.

Correct if I’m wrong: you’re trying to give root access to a specific user, not to delegate some tasks with sudo.
In this case, giving the power to become root is a matter of adding a user to the wheel group.

This is the upstream doc: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/chap-Gaining_Privileges.html

2 Likes

It is the correct procedure, but I’m afraid both CLI commands (i.e. usermod, lusermod, samba-tool) and the UI cannot add to wheel (a group defined by /etc/group) an user coming from LDAP or AD.

We could set (as opt-in) “domain admins” (or any other group in LDAP or AD) as a “wheel” equivalent, though. We have the admins key in configuration DB…

2 Likes

yes the purpose is to gain/delegate root access. Imagine I ssh a server to fix/search a bug, I might need privileged accesses and rights but momently, not forever :slight_smile:

Ideally I prefer the sudo rights for a ‘baby’ administrator, you could hope that he’ll forget the sudo before to do ‘rm -rf /var/lib/nethserver’

1 Like

‘rm -rf /var/lib/nethserver’ is not as much fun as rm -rf / :innocent:

1 Like

Linux is an adult now…you cannot do it anymore…you need to give more arguments :slight_smile:

1 Like

Never understimate idiots :wink:

2 Likes

Or bad luck

1 Like

Or argue with them - they will drag you down to their level and beat you with experience…

3 Likes

I agree, we could automatic five sudo access to admins.
Or, as an alternative, we can create an ad-hoc group.

@bwdjames you can solve your problem like this (not tested):

  1. create a group powerusers in Users & Groups page
  2. add one ore more user to the group
  3. create a sudo file like this:
echo "%powerusers	ALL=(ALL)	ALL" > /etc/sudoers.d/90powerusers
chmod 440  /etc/sudoers.d/90powerusers
4 Likes

Will give it a try later this evening or tomorrow, schedule over booked last night and today

1 Like

@giacomo I can confirm that this works and is a very good solution to have in the documents somewhere.

1 Like

Should I add it to the developer manual or would you like to try to open a pull request on the readme file?

just my 2C question. Is it possible to get a sudo group, created by the rpm, and add users when it is needed in this group. An automatic task is interesting, a RTFM solution could be quite boring

This is not possible on NS 7 because you don’t know where accounts are stored, locally on a LDAP or even on a remote Microsoft Active Directory.

2 Likes

So “root” account for management is not member of groups?