{{tag>Brouillon sudo }}
Voir :
* [[Pb sudo - Lenteur sudo]]
* ''man sudo_root''
Voir aussi :
* OpenDoas
* runuser / setpriv (util-linux)
* [[http://bencane.com/2012/02/26/sudoedit-securely-allow-users-to-edit-files/|sudoedit]]
* sudoreplay
* [[https://linuxfr.org/news/linux-capabilities-se-passer-des-commandes-su-et-sudo|Linux capabilities : se passer des commandes su et sudo]]
* https://blog.guillaume-gomez.fr/Linux-tips/1/2
* sux (su X11)
* sudoers [[audit|Audit - list all users allow root privileges]]
* [[Notes sécurité PAM|PAM]]
* [[Ansible sudo su become_method]]
* [[Notes userhelper - usermode]]
* [[https://github.com/tianon/gosu|gosu, setpriv, su-exec]]
* userhelper
* ''systemd-run -t bash'' ou ''systemd-run --shell''
* Pourquoi ne pas utiliser sudo dans un contener : https://docsaid.org/en/blog/gosu-usage/
= Notes sudo et sudoers
**sudo** does ''fork''+''exec'' instead of just ''exec''
visudo
jean ALL=(test) NOPASSWD: ALL
Utilisation
sudo -u test -s /bin/bash
echo 'ls /root/' |sudo -H -S -n bash
Test sudoers
sudo -l
sudo -U username -l
sudo -U username -ll
env_keep : Check environment variables sudo preserved :
sudo sudo -V
== Exemple de Sudoers
Accès root sans mdp pour un utilisateur
# export EDITOR=vim
visudo -f /etc/sudoers.d/admin
jean ALL=(ALL) NOPASSWD: ALL
#
# Disable "ssh hostname sudo ", because it will show the password in clear.
# You have to run "ssh -t hostname sudo ".
#
Defaults requiretty
Host_Alias LOCAL_SERVER=servername
Cmnd_Alias CHK_MSG=/usr/local/bin/check_msg.sh
Defaults:nagios !requiretty
nagios LOCAL_SERVER=(ALL) NOPASSWD: CHK_MSG
operator ALL=(root) sudoedit /home/*/*/test.txt
user1 ALL = NOPASSWD: /bin/ln -s /dev/ttyACM[1-9] /dev/ttyS[1-9]
user1 ALL = NOPASSWD: /usr/bin/unlink /dev/ttyS[1-9]
Faire des groupes
sudo visudo -f /etc/sudoers.d/networking
Cmnd_Alias CAPTURE = /usr/sbin/tcpdump
Cmnd_Alias SERVERS = /usr/sbin/apache2ctl, /usr/bin/htpasswd
Cmnd_Alias NETALL = CAPTURE, SERVERS
%netadmin ALL=NETALL
=== Demander le mot de passe du compte root au lieu de l'utilisateur
Defaults rootpwc
=== Demander le mot de passe x fois
Defaults passwd_tries=4
=== Timeout
Defaults timestamp_timeout=x
Defaults:peter timestamp_timeout=5
=== Logs
Defaults logfile=/var/log/sudo.log
=== Mails
#Defaults mail_always
Defaults mail_badpass
Defaults mailto=""
=== PATH
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
== Exemples sudoers
=== Exemple sudoedit
exploit ALL=(root) NOPASSWD: sudoedit /var/log/*log
exploit ALL=(root) NOPASSWD: sudoedit /var/log/*.log.1
exploit ALL=(root) NOPASSWD: sudoedit /var/log/*err
exploit ALL=(root) NOPASSWD: sudoedit /var/log/*.gz
export EDITOR=vim
sudoedit /var/log/message.log
sudo -e /var/log/message.log
=== Alias
Cmnd_Alias ADMIN=/usr/bin/atop, /usr/bin/qps
jean ALL= NOPASSWD: ADMIN
Voir [[https://www.youtube.com/watch?v=o0purspHg-o|Sudo: You're Doing it Wrong]]
Defaults insults
# Users Hosts = (Runas) Cmds
# %Group Hosts = (Runas) Cmds
%wheel ALL=(ALL) ALL
Defaults env_keep+="HOME SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
mwlucas dns1=ALL
mwlucas,pkdick dns1,dns2 = \
/sbin/service names,/sbin/service syslogd
mwlucas db1 = (oracle) ALL
mwlucas dns[1-4]=ALL
mwlucas ALL = /usr/local/sbin/*
mwlucas ALL=/opt/bin/program -[acQ]
# "" disallow arguments
mwlucas ALL=/opt/bin/program ""
Cmnd_Alias BACKUP = /sbin/dump,/sbin/restore,/usr/bin/mt
mwlucas ALL=BACKUP
User_Alias ADMIN_USERS = sysops,admin,sysadm
User_Alias TAPEMONKEYS_USERS = mwlucas, jeanmm
Host_Alias WWW = web1,web2,web3
TAPEMONKEYS_USERS WWW=BACKUP
Runas_Alias DB_RUNAS = oracle, pqsql, mysql
fred DB_HOSTS = (DB_RUNAS) ALL
DBA_USERS DB_HOSTS = (DB_RUNAS) ALL
mwlucas ALL = NOEXEC: ALL
Defaults!ALL NOEXEC
Cmnd_Alias MAYEXEC = /bin/newaliases, /sbin/fdisk
mwlucas ALL = ALL, EXEC: MAYEXEC
mwlucas ALL = sudoedit /etc/rc.conf
identifiant ALL = (ALL) /chemin/complet/commande, NOPASSWD: /chemin/complet/autrecommande
Toutes les commandes situées à la droite du mot-clé NOPASSWD: peuvent être exécutées par l'utilisateur ou le groupe d'utilisateurs précisé en début d'instruction. Celles restées à sa gauche sont toujours soumises à l'authentification par mot de passe.
User_Alias USER_T_PLOP_ALL=user1
USER_T_PLOP_ALL= (jean) EXEC: NOPASSWD: ALL
#Runas_Alias=oracle, orainst, mysql, myinst
=== Checksum
Using openssl, to generate the checksum:
openssl dgst -sha224 /usr/local/sbin/mycommand
SHA224(/usr/local/sbin/mycommand)= 52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365
Then in your sudoers file (on the same line):
www-data ALL=(ALL) NOPASSWD:
sha224:52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365
/usr/local/sbin/mycommand
== Exemple sudo
Get shell
sudo -u jean -i
sudo -u jean -s
sudo -u jean -s /bin/bash
sudo su - jean
== PAM
Source : https://www.tecmint.com/switch-user-account-without-password/
Permette aux membres du groupe postgres d'impersonifier l'utilisateur postgres
auth [success=ignore default=1] pam_succeed_if.so user = postgres
auth sufficient pam_succeed_if.so use_uid user ingroup postgres
In the above configuration, the first line checks if the target user is postgres, if it is, the service checks the current user, otherwise, the ''default=1'' line is skipped and the normal authentication steps are executed.
Équivalent à
%postgres ALL=NOPASSWD: /bin/su – postgres
== Autres
=== Ausible - become
Voir :
* [[ansible_sudo_su_become_method|Ansible sudo su become_method become_flags]]
$ ansible-doc -t become ansible.builtin.sudo
...
become_flags
default: -H -S -n
...
== gosu, setpriv, su-exec, setuser (Python)
Voir :
* [[https://github.com/tianon/gosu|gosu, setpriv, su-exec]]
* [[https://github.com/phusion/baseimage-docker/blob/master/image/bin/setuser|setuser Python Script]]
Dans un container doit être appelé exec ''exec''. Exemple :
exec gosu myAppUser /usr/local/bin/myApp --foo=bar
Exemples :
* https://github.com/sudo-bmitch/jenkins-docker
gosu user-spec command [args]
gosu tianon bash
gosu nobody:root bash -c 'whoami && id'
gosu 1000:1 id
su-exec apache:1000 /usr/sbin/httpd -f /opt/www/httpd.conf