Add a user to the sudoers

giacomo · June 14, 2017, 6:48am

With sudo you can delegate some users to run specific commands (even with a list of valid parameters) with root privileges.

Correct if I’m wrong: you’re trying to give root access to a specific user, not to delegate some tasks with sudo.
In this case, giving the power to become root is a matter of adding a user to the wheel group.

This is the upstream doc: Chapter 6. Gaining Privileges Red Hat Enterprise Linux 7 | Red Hat Customer Portal

davidep · June 14, 2017, 7:31am

It is the correct procedure, but I’m afraid both CLI commands (i.e. usermod, lusermod, samba-tool) and the UI cannot add to wheel (a group defined by /etc/group) an user coming from LDAP or AD.

We could set (as opt-in) “domain admins” (or any other group in LDAP or AD) as a “wheel” equivalent, though. We have the admins key in configuration DB…

stephdl · June 14, 2017, 3:52pm

yes the purpose is to gain/delegate root access. Imagine I ssh a server to fix/search a bug, I might need privileged accesses and rights but momently, not forever

Ideally I prefer the sudo rights for a ‘baby’ administrator, you could hope that he’ll forget the sudo before to do ‘rm -rf /var/lib/nethserver’

bwdjames · June 14, 2017, 4:12pm

‘rm -rf /var/lib/nethserver’ is not as much fun as rm -rf /

stephdl · June 14, 2017, 4:13pm

Linux is an adult now…you cannot do it anymore…you need to give more arguments

Stefano_Zamboni · June 14, 2017, 4:34pm

Never understimate idiots

pike · June 14, 2017, 5:30pm

Or bad luck

bwdjames · June 14, 2017, 7:40pm

Or argue with them - they will drag you down to their level and beat you with experience…

giacomo · June 15, 2017, 7:08am

I agree, we could automatic five sudo access to admins.
Or, as an alternative, we can create an ad-hoc group.

@bwdjames you can solve your problem like this (not tested):

create a group powerusers in Users & Groups page
add one ore more user to the group
create a sudo file like this:

echo "%powerusers	ALL=(ALL)	ALL" > /etc/sudoers.d/90powerusers
chmod 440  /etc/sudoers.d/90powerusers

bwdjames · June 16, 2017, 8:50am

Will give it a try later this evening or tomorrow, schedule over booked last night and today

bwdjames · June 16, 2017, 8:27pm

@giacomo I can confirm that this works and is a very good solution to have in the documents somewhere.

giacomo · June 19, 2017, 11:52am

Should I add it to the developer manual or would you like to try to open a pull request on the readme file?

github.com

NethServer/nethserver-sssd/blob/master/README.rst

===============
nethserver-sssd
===============

This package implements authentication and user management layers.
Supported authentication providers are:

* OpenLDAP with POSIX attributes
* Samba or Windows Active Directory

It includes the following parts:

* SSSD configuration
* events for users and  groups management
* web interface for user management
* password policy management
* system validators for users and groups
* SSSD perl library to ease the implementation of e-smith templates

This file has been truncated. show original

stephdl · June 19, 2017, 7:31pm

just my 2C question. Is it possible to get a sudo group, created by the rpm, and add users when it is needed in this group. An automatic task is interesting, a RTFM solution could be quite boring

giacomo · June 20, 2017, 7:10am

This is not possible on NS 7 because you don’t know where accounts are stored, locally on a LDAP or even on a remote Microsoft Active Directory.

pike · June 21, 2017, 1:01pm

So “root” account for management is not member of groups?

giacomo · June 21, 2017, 1:58pm

The “root” user is member only of the root group itself.

pike · June 21, 2017, 3:25pm

So there are groups on server .
This means that should be possible to create another group… the sudoers.

stephdl · July 10, 2017, 5:16pm

do you think your solution is workable if the account provider is remote ?

stephdl · July 10, 2017, 5:55pm

answering myself : yes

davidep · September 30, 2020, 7:46am

6 posts were split to a new topic: Cockpit users see an error instead of values