On Thu, 20 Apr 2006 11:17 am, Simon Wong wrote: > On Thu, 2006-04-20 at 10:46 +1000, James Gray wrote: > > Add "user" to the "sudo" group on "host" and you wont be prompted for the > > user's password anymore (at least that's how it works on Ubuntu and > > RHEL). > > yeah, I was scared of doing that for the reason of giving blanket root > sudo powers.
Just because a user can "sudo" doesn't mean they can "sudo <anything>". You
*can* restrict users to only being able to sudo a very specific set of
commands and then even restrict further to options passed to those commands.
The "updater" user should probably only be able to "apt-get update" and
"apt-get -y upgrade". If you want to do a full dist-upgrade or remove/purge
packages, that's probably best done manually so don't allow "updater" to run
apt-get with "remove". "man sudo" and "man 5 sudoers" are your friends here.
> > Alternatively, login and run the commands interactively (but given you're
> > running commands directly from ssh, I'm assuming this is actually a
> > script?).
>
> yep, trying to script it :-)
Bummer - not really an option then.
> > If you go with the sudo group idea, you may want to setup a special user
> > ("updater" or something) that can only run specific commands like
> > "apt-get" with sudo and even then, restrict the options that can be
> > passed as well.
>
> Good idea, that sounds like the way to go but I expect that means
> setting up an SSH key with the specific command so that the "updater"
> user can login via SSH and do only that one thing. I want SSH logins
> restricted to a specified list via "AllowUsers" after a recent
> experience.
So use key-based login for the "updater" user. That way, even if someone
knows the existence of the "updater" user it wont be of any use to them
without the private key from the machine(s) YOU are using. I don't allow any
password-based login for my publicly accessible SSH machines. That way I can
not only restrict what users can log in but also WHERE they login from (ie,
the machine that has the private key) without resorting to high-maintenance
IP address lists, iptables etc.
Double up the security: restrict allowed users AND use key-based auth. :)
HTH,
James
--
Age and treachery will always overcome youth and skill.
pgpe9qDEgoBKM.pgp
Description: PGP signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
