sudo does fork+exec instead of just exec

visudo

jean ALL=(test) NOPASSWD: ALL

Utilisation

sudo -u test -s /bin/bash
echo 'ls /root/' |sudo -H -S -n bash

Test sudoers

sudo -l
sudo -U username -l
sudo -U username -ll

env_keep : Check environment variables sudo preserved :

sudo sudo -V

Accès root sans mdp pour un utilisateur

# export EDITOR=vim
visudo -f /etc/sudoers.d/admin

/etc/sudoers.d/admin

jean        ALL=(ALL)       NOPASSWD: ALL

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty
Host_Alias LOCAL_SERVER=servername
Cmnd_Alias CHK_MSG=/usr/local/bin/check_msg.sh
Defaults:nagios !requiretty
nagios LOCAL_SERVER=(ALL) NOPASSWD: CHK_MSG

operator ALL=(root) sudoedit /home/*/*/test.txt

user1     ALL = NOPASSWD: /bin/ln -s /dev/ttyACM[1-9] /dev/ttyS[1-9]
user1     ALL = NOPASSWD: /usr/bin/unlink /dev/ttyS[1-9]

Faire des groupes

sudo visudo -f /etc/sudoers.d/networking

Cmnd_Alias     CAPTURE = /usr/sbin/tcpdump
Cmnd_Alias     SERVERS = /usr/sbin/apache2ctl, /usr/bin/htpasswd
Cmnd_Alias     NETALL = CAPTURE, SERVERS
%netadmin ALL=NETALL

Defaults rootpwc

Defaults passwd_tries=4

Defaults timestamp_timeout=x

Defaults:peter timestamp_timeout=5

Defaults logfile=/var/log/sudo.log

#Defaults    mail_always
Defaults    mail_badpass
Defaults    mailto="<email@example.com>"

/etc/sudoers

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

/etc/sudoers.d/sudoedit

exploit    ALL=(root) NOPASSWD: sudoedit /var/log/*log
exploit    ALL=(root) NOPASSWD: sudoedit /var/log/*.log.1
exploit    ALL=(root) NOPASSWD: sudoedit /var/log/*err
exploit    ALL=(root) NOPASSWD: sudoedit /var/log/*.gz

export EDITOR=vim
sudoedit /var/log/message.log
sudo -e /var/log/message.log

Cmnd_Alias ADMIN=/usr/bin/atop, /usr/bin/qps
jean ALL= NOPASSWD: ADMIN

Voir Sudo: You're Doing it Wrong

Defaults insults

# Users  Hosts = (Runas) Cmds
# %Group Hosts = (Runas) Cmds

%wheel ALL=(ALL) ALL

Defaults env_keep+="HOME SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"

mwlucas dns1=ALL
mwlucas,pkdick dns1,dns2 = \
	/sbin/service names,/sbin/service syslogd


mwlucas db1 = (oracle) ALL
mwlucas dns[1-4]=ALL
mwlucas ALL = /usr/local/sbin/*

mwlucas ALL=/opt/bin/program -[acQ]

# "" disallow arguments
mwlucas ALL=/opt/bin/program ""

Cmnd_Alias BACKUP = /sbin/dump,/sbin/restore,/usr/bin/mt
mwlucas ALL=BACKUP

User_Alias ADMIN_USERS = sysops,admin,sysadm

User_Alias TAPEMONKEYS_USERS = mwlucas, jeanmm
Host_Alias WWW = web1,web2,web3
TAPEMONKEYS_USERS WWW=BACKUP

Runas_Alias DB_RUNAS = oracle, pqsql, mysql
fred DB_HOSTS = (DB_RUNAS) ALL

DBA_USERS DB_HOSTS = (DB_RUNAS) ALL

mwlucas ALL = NOEXEC: ALL


Defaults!ALL NOEXEC
Cmnd_Alias MAYEXEC = /bin/newaliases, /sbin/fdisk
mwlucas ALL = ALL, EXEC: MAYEXEC

mwlucas ALL = sudoedit /etc/rc.conf

identifiant	ALL = (ALL) /chemin/complet/commande, NOPASSWD: /chemin/complet/autrecommande

Toutes les commandes situées à la droite du mot-clé NOPASSWD: peuvent être exécutées par l'utilisateur ou le groupe d'utilisateurs précisé en début d'instruction. Celles restées à sa gauche sont toujours soumises à l'authentification par mot de passe.

User_Alias USER_T_PLOP_ALL=user1
USER_T_PLOP_ALL= (jean) EXEC: NOPASSWD: ALL

#Runas_Alias=oracle, orainst, mysql, myinst

Using openssl, to generate the checksum:

openssl dgst -sha224 /usr/local/sbin/mycommand

SHA224(/usr/local/sbin/mycommand)= 52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365 

Then in your sudoers file (on the same line):

 www-data ALL=(ALL) NOPASSWD: 
    sha224:52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365
    /usr/local/sbin/mycommand

Get shell

sudo -u jean -i
sudo -u jean -s
sudo -u jean -s /bin/bash
sudo su - jean

Source : https://www.tecmint.com/switch-user-account-without-password/

Permette aux membres du groupe postgres d'impersonifier l'utilisateur postgres

/etc/pam.d/su

auth       [success=ignore default=1] pam_succeed_if.so user = postgres
auth       sufficient   pam_succeed_if.so use_uid user ingroup postgres

In the above configuration, the first line checks if the target user is postgres, if it is, the service checks the current user, otherwise, the default=1 line is skipped and the normal authentication steps are executed.

Équivalent à

%postgres ALL=NOPASSWD: /bin/su – postgres

Voir :

• Ansible sudo su become_method become_flags

$ ansible-doc -t become ansible.builtin.sudo
...
become_flags
default: -H -S -n
...

Voir :

• gosu, setpriv, su-exec
• setuser Python Script

Dans un container doit être appelé exec exec. Exemple :

exec gosu myAppUser /usr/local/bin/myApp --foo=bar

Exemples :

• https://github.com/sudo-bmitch/jenkins-docker

gosu user-spec command [args]
gosu tianon bash
gosu nobody:root bash -c 'whoami && id'
gosu 1000:1 id

su-exec apache:1000 /usr/sbin/httpd -f /opt/www/httpd.conf