Change Sudoers Remotely

Home » CentOS » Change Sudoers Remotely
CentOS 7 Comments

I’ve been asked to give someone sudo rights across an entire environment without the benefit of something like puppet or chef or cfengine et al. What I’ve come up with so far is this:

 

ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=\(ALL\) NOPASSWD:/sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers

 

Right now that’s just to one host, but I plan on substituting a list of hosts once I get farther along. Problem is, the output hangs on the tee command. Not sure why. Any suggestions?

Thanks, Tim

7 thoughts on - Change Sudoers Remotely

  • Tim Dunphy wrote:

    Bad admin. No coffee for you!

    First, I would have listed the above as

    Since doing what you did just told the world a username that they can try to break in with.

    Second, sudoers should ALWAYS be edited with visudo, and you might do a here script….

    mark

  • Assuming it’s internet facing.

    Hardly. If you’re using any type of provisioning system with a tested template this type of thing is trivial to do right.

    Tim, if you’re using C6 look into dropping a properly configured sudo config into /etc/sudoers.d instead of mucking with /etc/sudoers.conf.

    John

  • It’s NOT!! Luckily. :) Otherwise he’d be completely right.

    Thanks, that’d be my preference. Although it’s tough to tell if all sudoers across the environment should be exactly the same. Probably not so I’m attempting to append the file. I’ve done the original edit in visudo.. not sure if that’s enough for me to be confident in the line I’m attempting to add however.

    Tim

  • Am 08.07.2013 um 23:02 schrieb m.roth@5-cent.us:

    also check ‘man sudoers’ for ‘Including other files from within sudoers’

    placing an add-on file without touching the dist files to much is my suggested best practice.

  • For CentOS 5 you will need an up to date sudo from yum or equivalent;
    earlier versions apparently do not have this functionality.

    –keith

  • You might want to have a look at ansible (www.ansibleworks.com) for orchestration/configuration tasks like this. Very simple to set up and requires nothing but SSH and python on the target host. Takes care of all the SSH and sudo user transitions for you. For your case it would be as simple as.

    yum install ansible
    echo target_host > hosts
    ansible target_host -i hosts -s -m lineinfile -a
    ‘dest=/etc/sudoers regexp=”^username ALL=(ALL) NOPASSWD:”‘

    replacing target_host and username as appropriate.

    You can even package that invocation in a playbook so you don’t have to remember all the details next time.

    Hope this helps.

    K

  • another option is using ldap, so you can specify who can do what in the ldap tree.

    The IPA project (included in CentOS as ipa-server and ipa-client) fixes all this for you:

    https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

    https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html

    Having said this, the question to manage an environment without management tools is peculiar. You need to have a way to introduce changes in a safe, tested, repetitive way. Denying you the possibility of doing this is not best practices and you should point this a a risk in your project.

LEAVE A COMMENT