LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-02-2012, 08:32 AM   #1
mitchSmith
LQ Newbie
 
Registered: Jun 2011
Location: London
Posts: 4

Rep: Reputation: Disabled
Question Passwordless su


Hi,

I am attempting to modify the sudoers file to allow myAdminUser to be able to su to any user in a service group, without a password.

I require this to allow automated deployments.

I currently have:
Code:
myAdmin ALL = NOPASSWD:/usr/bin/su %serviceGroup
However this still requests a password when i try to su to any member of the group.

I have also tried individual mappings to the serviceUsers
Code:
myAdmin ALL = NOPASSWD:/usr/bin/su service1User
myAdmin ALL = NOPASSWD:/usr/bin/su service1User
Can anyone help me with this. I am trying to provide as little access as possible, which is why I wish to only allow passwordless su to the users in the group as these are all restricted to management of a single service

Thanks
Mitchell
 
Old 04-02-2012, 08:40 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
This is so so not a good way to do this. sudo and su are alternative mechanisms, and it's madness to combine the two.

instead of using su, have the administrator run "sudo -i -u service1User" and that will give them a proper login 100% within sudos control.
 
Old 04-02-2012, 09:12 AM   #3
mitchSmith
LQ Newbie
 
Registered: Jun 2011
Location: London
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for your reply,

Would that work if the process executing the command is actually an automated process.

The myAdmin user is only an admin created for the automated deployment process, I do not wish to provide to much access. As this will ultimately be logged in by a process created via ssh from a central deployment host.

I wish to only grant enough privileges to perform some very basic service start/stop and deploy prebuilt war files in to a webApp at this point.
 
Old 04-02-2012, 09:13 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
so why do you want a login shell at all?

If this is from a deployment host, maybe you'd like to look at puppet instead? It's fricking ace.
 
Old 04-02-2012, 09:41 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
Look carefully at the PAM (Programmable Authentication Modules) facility.

You can do anything you need to do with that.

Also consider the possibility of using digital certificate based authentication to allow the owners of a particular cryptographic key (e.g. with ssh) to pass through portals easily that are nevertheless closed to the common mortal.
 
Old 04-02-2012, 09:42 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
what about PAM are you suggesting they look at?
 
  


Reply

Tags
passwordless, su, sudo, sudoers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
passwordless alpine seaelf Linux - Software 4 11-02-2010 05:45 AM
Passwordless SSH cccc Linux - Networking 9 12-27-2009 07:04 AM
passwordless su radu124 Linux - General 7 05-06-2009 11:14 AM
passwordless authentication sherimm Linux - Software 17 12-10-2008 11:27 PM
Can't use passwordless ssh sunhui Linux - Security 1 10-03-2006 08:29 PM


All times are GMT -5. The time now is 09:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration