Sunday, December 15, 2019

permissions - Editing /etc/sudoers to allow Winbind Group members to Only sudo to 1 Local User


I have multiple Ubuntu Linux hosts that need to connect to Active Directory for user management (unfortunately an actual LDAP server was not an option here...) and have configured Winbind to handle authentication, and my %sudoers group entry works fine:


## Allow AD members of the service group restricted user access to that account
%sudoers ALL=(ALL:ALL) NOPASSWD:ALL

I have allowed password authentication in the ssh config and have added the following entry to my sudoers file for the account:


%service ALL=(service:service) NOPASSWD:ALL

This doesn't even find the group even though the sudoers group and the service groups are at the same level in the directory tree on the AD server. When I do this:


%domain.local\\service ALL=(ALL:ALL) NOPASSWD:ALL

...members of the service group are able to log in and have full sudo rights, including root which is unacceptable, and already covered by the sudoers group and entry. Alternatively when I do this:


%domain.local\\service ALL=(service:service) NOPASSWD:ALL

...members are unable to sudo to any user. As for the service user, here is the /etc/passwd entry for the service user:


service:x:1001:16777230::/opt/service:/bin/bash

Per the Sudoers Man Page this last entry should probably work, but for some reason it doesn't. Also, the %service should also probably cover both local and AD provided membership but it doesn't seem to. When I create this user since there is already a group in the directory server named service here is how I am creating the service user account:


useradd -d /opt/service -g service service

Here is the output of sudo -l for a member of the group:


[user.test@server ~]$ sudo -l
Matching Defaults entries for user.test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user.test may run the following commands on this host:
(service : service) NOPASSWD: /opt/service

What am i missing here?



I found the solution. We needed to set the login shell and path to the sudoers entry for the service user's home like so:


%domain.local\\service ALL=(service) NOPASSWD:/bin/bash, /opt/service/*

Now we are able to enter the following to become the service user:


$ sudo -i -u service
$ whoami
service
$ pwd
/opt/service

No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...