A bit more on sudo: Assigning selective privileges to executables


sudo

So I have a user in my box, dedicated only to run database dump from our oracle database. All they have to do, is to execute a specific command, with specific parameters and attributes. The problem is, that particular executable can only be run by the owner of the database, in this particular case, “oracle”. Obviously for security reasons, I can’t give anyone the right to execute the dump command, nor can I put the backup account into oracle group. Giving the backup operator the right to execute the command directly would mean that the backup operator is allowed to use different parameters, which would potentially leads to trouble.

If you have a similar case, where you need to give certain account the right to execute only certain commands or scripts, my example may be applicable

So first thing I need to do is to put the dump command and parameters into a single script, so that the backup operator only need to execute that single script. For the purpose of this article, this is what they need to execute:

/backupscript/daily-dmp.sh

Next, you need to make sure that you know the password for “root”. Why? Because when you screw the sudoers  file up, you can’t use sudo, and you’ll need to drop down to root shell to repair the damage. Usually, for most ubuntu users, root password is not set out of the box. Also, backup the sudoers file before making any changes.

Edit the sudoers file by doing:

sudo visudo

This is how my sudoers look like:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification
User_Alias BKPOP = dmpuser

# Cmnd alias specification
Cmnd_Alias BKP = /backupscript/daily-dmp.sh

#Runas
Runas_Alias DB = oracle

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

BKPOP ALL=(DB)NOPASSWD:BKP

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Let’s get through  the important lines, first the aliases. There are three aliases segments that I used for the purpose of this article, do notice that every single of them are written in capitalized letters, otherwise, it won’t work.

User alias:

User_Alias BKPOP = dmpuser

dmpuser user is the operating system account used by the backup operator to log into the server. I’m giving it the alias “BKPOP”. Next,

Command alias:

Cmnd_Alias BKP = /backupscript/daily-dmp.sh

the BKP alias stores the path to the backup script that they need to execute to start the backup process.  And the last is

Run as alias

Runas_Alias DB = oracle

the backup script above contains a command that requires oracle user right, so we need to create an alias for that.

Now that completes the alias part. For the final part, let’s define the assignment:

BKPOP ALL=(DB)NOPASSWD:BKP

The line above means that BKPOP, which points to “dmpuser” is allowed to execute the command contained in the BKP alias, from any (ALL) host, without having to supply any password.

To do their job, the backup operators must log into the server using “dmpuser” account, and execute:

sudo /backupscript/daily-dmp.sh

Now, If I need to assign this right to more than one user, let say “bkpuser”, I can either add the second user to the user alias:

User_Alias BKPOP = dmpuser, bkpuser

or, instead of using alias, I can create a group, let say “dmpgrp”, put both users inside this group, and change the assignment to:

%dmpgrp ALL=(DB)NOPASSWD:BKP

If these guys need to run another scripts, the command alias can be modified like this:

Cmnd_Alias BKP = /backupscript/daily-dmp.sh, /backupscript/monthly-dmp.sh

Easy peasy 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s