I’ve recently run into deployment scenarios where I need to have a unprivileged
user account execute something privileged like restarting nginx. Sure, I
could just do things with the root account, but most of my deployments are done
via SSH commands and I don’t allow root logins directly on my servers. I went
ahead and skipped Google this time and just went straight to the man page for
“sudoers” and was able to get some answers.
How to edit sudoers
The preferred way to edit the sudoers is by way of visudo. The command does
require sudo or to be ran directly from a superuser account. You could simply
run vim /etc/sudoers as well but this does not provide the locking mechanism
that visudo does to safeguard against simultaneous edits. The following
examples are edits that need to be made inside /etc/sudoers.
Now that we know how to edit the sudoers file, let’s take a look at a few
different ways to go about configuring it. Keep in mind that the first couple
of setups are simply for documentation purposes and I don’t recommend using
them at all.
If you only allow logging in with a key and that key is compromised, the
attacker would then have full access to the server if you had passwordless
sudo enabled for that user. Keeping passwords enabled means the attacker
would need to get through both layers of security. Add in IP allow listing and
you have another layer as well. Shit happens, just ask Sony 😉
All users in a group
This particular setup is the least secure in my opinion as it allows any users
that have sudo access to do so without ever entering their password. The
following example would grant anyone in the “sudo” group passwordless access:
%sudo ALL=(ALL) NOPASSWD:ALL
In most scenarios all of the users with sudo access would be in the “sudo”
group thus making this configuration for all users with sudo.
Individual user
Also not recommended but it at least limits the liability a bit by isolating
sudo without password to a single user:
username ALL=(ALL) NOPASSWD:ALL
Specific command
This would be what I consider the most ideal setup, allowing a specific user to
have passwordless sudo access for a specific command. Most likely access to
the command is somewhat trivial, like a script to restart a particular service.
For me, the service in question is nginx and I added the following line to
my sudoers file:
username ALL=NOPASSWD: /etc/init.d/nginx
Now the specified user account can run /etc/init.d/nginx reload without a
password! In a perfect world I would lock down sudo access to to reload
argument and no other arguments like start or stop but when trying to
specify additional arguments I would get an error in my sudoers file. Since I
wasn’t overly concerned with that level of access I didn’t bother to pursue it.
One more tip with all of this, don’t ever give sudo access to a user that
doesn’t have to enter a password (or use a key) to log in. In fact, don’t ever
have users like that on your boxes and lock down sshd to disallow accounts
like that from ever logging in remotely. I’ll save locking down SSH for another
post 😉
Happy Holidays!
