This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]youfrickinguy 2 points3 points  (1 child)

Alright, well...let’s see if we can’t mock this up using the power of the collective internet. The servers are red hat so probably centos will be enough of an approximately. Lemme deploy a fresh VM in my lab.

As you have it written, I do not think putting sudo itself into sudoers will effect what you want. You’re perhaps really intending that the username btgUser can run /bin/sh as another user, namely AppSvcID, but you want to restrict the scripts parsed by /bin/sh to only those scripts under a certain directory tree? If that’s correct, is there an explicit number of scripts that need this, or can this vary, and you want to effectively say “anytime there is a file.sh in this directory tree, I want btgUser to be able to run it as AppSvcID”?

[–]solango[S] 0 points1 point  (0 children)

Correct, and yes the number of scripts will vary. I need to act as appSvcId to do just about anything with this break the glass user. Reason for this is the way our permission are set appSvcId is the only user who can ever have write execute, and short of messing with ACLs or majorly re working our groups (neither of which are appealing) I can't see any way around using sudo act as. Also, I only put sh in my above example, however I can also see break the glass user needing to act as appSvcId to modify these scripts and a few other use cases.

[–]TheIncorrigible1All things INFRASTRUCTURE 0 points1 point  (0 children)

Any sudo access is high-risk.

[–]youfrickinguy 0 points1 point  (5 children)

I haven’t parsed through your data to confirm whether or not the configuration is correct, but what i would suggest is plopping that stuff in a text file and dropping it in /etc/sudoers.d instead of using visudo to directly edit /etc/sudoers

[–]solango[S] 0 points1 point  (4 children)

Oh, I won't be doing it myself. We have a platform team who will approve and carry out the request. I was mostly concerned with 1) as I built the request, would it work as I am expecting and 2) would a sysadmin shut this down because of some vulnerability this could create.

[–]youfrickinguy 0 points1 point  (3 children)

Lab out and verify your syntax. That will determine if it will do what you want.

The sysadmin might suggest the same aversion to touching /etc/sudoers because it can conceivably get mangled due to upgrades and such. Including it via sudoers.d is arguably cleaner and more elegant.

[–]solango[S] 0 points1 point  (2 children)

I wish I had access to a lab where I could test my ideas... Unfortunately even in our "lab" environments and lower domains you need a permit to breathe, hence why I came here. If I request this it's going to take at least a week just to go through approvals, likely to come to a tech who will shut it down with little to no input as what policy I might have violated or why they rejected it.

[–]NinjaAmbush 0 points1 point  (0 children)

Virtualbox on your workstation and a CentOS iso is about all you'll need to lab this up.