title: stupid sudo tricks link: https://onemoretech.wordpress.com/2009/04/01/stupid-sudo-tricks/ author: lembobro description: post_id: 346 created: 2009/04/01 20:29:18 created_gmt: 2009/04/01 20:29:18 comment_status: open post_name: stupid-sudo-tricks status: publish post_type: post

stupid sudo tricks

I love sudo. I really do. Anyone whose directory environment is on Unix and don’t have root should learn it, love it and use it. Big Time.

Basically what sudo does is allow authorized users to invoke specified commands as root.

Because most directory servers operate on port 389, the usual Unix rule limiting the opening of ports below 1000 by anyone other than root will prevent an admin from starting or stopping the directory server they’re responsible for. As a result anyone who needs to recycle the slapd daemon is going to need root privileges to do it.

Note: There are other ways around this particular limitation. Most common is making the directory server executables setuid root, but I don’t recommend it (this is the way I think Oracle invokes the oidldapd daemon).

Here’s my recipe for a sudoers file that might actually work for you, using providing what a typical directory admin would need to do their daily work. Consult with your sysadmins for any changes that might suit your local circumstances.

`

# sudoers file.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification
Host_Alias      LDSRV = localhost,dirserv01,dirserv02,dirserv03,dirserv04
# User alias specification
User_Alias      LDADM = %diradmin,eldapo,eldapino
# Cmnd alias specification
Cmnd_Alias      DSROOT = /opt/sun/ds52/
Cmnd_Alias      DSINIT = /etc/init.d/nsslapd
Cmnd_Alias      SYSUTIL = /bin/ls,/bin/grep,/bin/cat,/usr/bin/head,
/usr/bin/head,/usr/bin/tail,/bin/more
Cmnd_Alias      KILL = /bin/kill
	
# User privilege specification
root            ALL=(ALL) ALL
eldapo          ALL=(ALL) ALL
LDADM           LDSRV = DSROOT,DSINIT,SYSUTIL,KILL

`

Oh, you want to know what this does? First of all, I can’t emphasize enough how beneficial a thorough reading of the doc for this utility is, particularly the sudoers manual.

The file is structured into 2 basic sections: Aliases (hosts, users, commands) and User Specifications (privilege assignment).

Host_Alias would define variables for various hosts. This is especially helpful if you want to deploy a standard sudoers file throughout your enterprise. By defining a different Host_Alias for each category of system (web servers, app servers, db servers, etc), you can get more granular in the assignment of rights according to a “least privilege needed” model.

User_Alias can be helpful in defining virtual “groups”, whether tied to real system groups or made up ad hoc by listing system user names. In this example “%diradmin” is an actual system group that all directory administrators are supposed to belong to.

Cmnd_Alias is where you group together various commands that the user will need to do their job. You can also specify a filesystem directory path, which will allow anyone with that Cmnd_Alias to invoke any executable in that path as root. For example, if your slapd daemon executable is in the path specified, your admins can start and stop it notwithstanding the under port 1000 limitation noted above. When specifying executables individually be sure to include the full path. These paths will be different depending on your platform O/S. For example, on Linux the ls command is under /bin while on Solaris it is in /usr/bin.

The User Specification (privilege assignment) section basically matches up system user names, groups or host and user aliases with the command aliases defined. The pattern is “User Host=(As User) Command”.

So “eldapo ALL=(ALL) ALL” basically means that system user eldapo can on any host act as any user to execute any command. Basically eldapo is, for all intents and purposes, root on all boxes that have this sudoers file. Exactly how he likes it. Of course I do not recommend you give eldapo root access to any of your servers. In most cases this kind of assignment is probably a really bad idea that your security people would shoot down immediately if they knew it was there (a good reason never to give root access to security if you can get away with it).

Further down the line “LDADM LDSRV = DSROOT,DSINIT,SYSUTIL,KILL” means that anyone defined in the LDADM user alias (in this example all members of the system diradmin group plus the eldapo and eldapino system users) on the hosts listed in LDSRV can run the commands defined in DSROOT, DSINIT, SYSUTIL and KILL as root (by default root is always included in the “As User” spec). Note that if you employ consultants or others who you’re not comfortable giving unrestricted kill rights over all processes, you might want to remove the KILL alias from your user spec here.

There are almost unlimited variations on the above. For example, you could include /bin/bash in a command alias (e.g. Cmnd_Alias ROOTSH=/usr/bin/bash), allowing anyone associated with it to shell to root (not that I recommend this).

Copyright 2004-2019 Phil Lembo