I have multiple Ubuntu Linux hosts that need to connect to Active Directory for user management (unfortunately an actual LDAP server was not an option here...) and have configured Winbind to handle authentication, and my %sudoers
group entry works fine:
## Allow AD members of the service group restricted user access to that account
%sudoers ALL=(ALL:ALL) NOPASSWD:ALL
I have allowed password authentication in the ssh config and have added the following entry to my sudoers file for the account:
%service ALL=(service:service) NOPASSWD:ALL
This doesn't even find the group even though the sudoers
group and the service
groups are at the same level in the directory tree on the AD server. When I do this:
%domain.local\\service ALL=(ALL:ALL) NOPASSWD:ALL
...members of the service
group are able to log in and have full sudo rights, including root which is unacceptable, and already covered by the sudoers
group and entry. Alternatively when I do this:
%domain.local\\service ALL=(service:service) NOPASSWD:ALL
...members are unable to sudo to any user. As for the service user, here is the /etc/passwd entry for the service
user:
service:x:1001:16777230::/opt/service:/bin/bash
Per the Sudoers Man Page this last entry should probably work, but for some reason it doesn't. Also, the %service
should also probably cover both local and AD provided membership but it doesn't seem to. When I create this user since there is already a group in the directory server named service
here is how I am creating the service
user account:
useradd -d /opt/service -g service service
Here is the output of sudo -l
for a member of the group:
[user.test@server ~]$ sudo -l
Matching Defaults entries for user.test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user.test may run the following commands on this host:
(service : service) NOPASSWD: /opt/service
What am i missing here?
I found the solution. We needed to set the login shell and path to the sudoers entry for the service
user's home like so:
%domain.local\\service ALL=(service) NOPASSWD:/bin/bash, /opt/service/*
Now we are able to enter the following to become the service
user:
$ sudo -i -u service
$ whoami
service
$ pwd
/opt/service
No comments:
Post a Comment