How to prevent giving sudo access to developers?
I have a group of dev team that keep asking me to be added to sudo users.
I do not want to do it because it is fat too much they need. They all belong to a (tomcat) group and can do all of they need but when they need to start the application they script if calling sudo and tomcat user. sudo -u tomcat /and the rest path to start it. So when they execute the command they are propped about users password that is not in a sudo users group. The access list does not resolve the issue in this case I suppose. Could you advise what would be the best way to avoid it? |
Not sure if I get this correctly but if your devs "dont listen", you could just override sudo by editing their PATH and replacing sudo with a command that simply discards all arguments and does nothing, but just execute the actual command.
|
If you cared to peruse sudoers man page, you would've learned that sudo is not a 'gimme root' but fully granular control tools and lets one specify which user may run which command with which credentials.
|
Quote:
I would recommend Michael W Lucas' book, sudo Mastery, to take a deep dive into the capabilities of sudo as a tool for providing granular access. While the book is on order from your college library or via your local bookstore you can hunt down the video of his talk, "sudo: You're Doing It Wrong", to get a rather quick overview of the tool. Then keep checking the manual page, using the command "man sudoers", as you go through the book. It is one of the more daunting manual pages out there, but is the ultimate reference (besides the source code) as to what the utility can do for you. |
I don't understand the requirement.
Perhaps you can give some invocation examples, what is allowed/denied for whom? And list what you have already: Code:
grep -s "^[^#]" /etc/sudoers /etc/sudoers.d/* Allow the members of a group to run certain commands as root without a password: Code:
%tomcat ALL = (root) NOPASSWD: /path/to/cmd1, /path/to/cmd2 Code:
User_Alias NOWEB = ALL, !%tomcat Code:
NOWEB ALL = (ALL) ALL |
with other words: with sudo you can allow start/stop (or any other script) script to run only, nothing else. You just need to take care of that script (so nobody should be able to modify it).
|
Quote:
https://help.ubuntu.com/community/RootSudo |
All times are GMT -5. The time now is 09:07 PM. |