Nethserver-delegation needs testers

thank mark…how did you set this below, by the command line ?

normally the gui forbids it by testing the full path of the executable

yes if a bad command is given then you cannot login any more in nethgui because the sudoers is broken

so what to do… only allows the full permission on all commands (become root) ?

Was set from UI (tested individually, one at a time)

2 Likes

good :slight_smile:

As said this is not a problem of the module but of the sysadmin. Personally I would add the NOEXEC tag for the list of sudo commands.

Some users might desire a more granular control (not full permission on an executable but on a command with arguments, eg. /bin/cat /var/lib/nethserver/secrets/mysql) but this would complicate things making the module.

I’d like to hear from some users that could be interested in this feature: @bwdjames @pike @islipfd19 @Bt_Crigna

If someone can break the sudoers file, it is a concern for me :). In this case it is better to simply allow a full root sudo.

For the servers I manage, the users I grant sudo access to usually need full root privileges. On occasion when someone has needed root to access certain commands or to make certain changes, the set policy is to speak to someone who has the access. But that’s just me and the setup I have chosen.

If there is a way to give more granular sudo access it would and extremely beneficial feature for those who have a large installation where some form of delegation is required for for practical reasons.

I am unsure of how easy or not it is to develop something for this and @stephdl is quite correct in that you don’t want to have this feature breaking the sudoers file as it could either give everyone too much permissions (thereby potentially causing sensitive data leakage or worse) or restrict everyone’s permissions causing a scenario where a re-installation is required.

1 Like

Maybe we can sanitise the entry…must start by ^/\w+ or something like that

Agree on that. I misunderstood what your question was referring to.

User input is often a problem. Sanitise it could do it, and verify the (temp)file for proper syntax (visudo -cf…) so the script can accept or revert the changes.

1 Like

Not sure how easy or difficult this may be, but how easy would it be to select the users from a drop down list instead of adding them in a text box? This may reduce some of the errors with user-entry

You speak to create a check box with all available unix executable binaries ???

I was misreading the screenshot, please ignore me and apologies for the confusion

2 Likes

No problem…we are here for fun :smile:

1 Like

Ok i will look, it seems interesting

Yes it would be a nice enhancement but I really don’t know how to test it and also validate all the bad hacks that a sudo users can do after to be granted…in this case I would prefer to let the sysadmin writes his own /etc/sudoers.d/file to delegate exactly what he wants.

for now I have sanitise the ‘/…,…,///’ you found, just with a preg_match test.

1 Like
yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.4-1.ns7.sdl.noarch.rpm

* Tue Aug 01 2017 stephane de Labrusse <stephdl@de-labrusse.fr> 0.1.4-1.ns7
- The path to the binary is sanitised
- New UI
2 Likes

Tested ok.

1 Like

thank you marc…I pushed a minor correction on the panel delegation, it is the same number version, reinstall if you did not installed it on a VM

next step NS6

@all what did you want to be delegated also

1 Like

I love to hear that :slight_smile:

Anyway, this module is super interesting thanks for your effort. Didn’t have time to test it out yet, I hope to do it soon.

One more thing @stephdl, after reading excerpts from sudoers manual, it seems files under /etc/sudoers.d/ should also be set to 0440 permission. Can you check it?

1 Like

released for ns7

https://wiki.nethserver.org/doku.php?id=delegation_of_authority

4 Likes

Released for ns6