You are not logged in.

#1 2017-07-21 14:15:37

Redgard
Member
From: Canada, Toronto
Registered: 2017-07-20
Posts: 19
Website

Server | configurate sudo

Hello,


I've just installed the "package" (?) sudo, and i would like to know how to properly configurate it? do you have any tips?
What should I avoid to do?

In the wiki page dedicated to sudo, category "entries", where should I enter the line

%wheel      ALL=(ALL) ALL

In the configuration file of sudo (visudo)?


thanks for your help,
Red'

Offline

#2 2017-07-21 14:54:35

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: Server | configurate sudo

Have you checked? There should be two commented lines like this somewhere in the lower half of the file:

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

Last edited by ayekat (2017-07-21 14:55:01)


pkgshackscfgblag

Offline

#3 2017-07-21 15:20:48

Redgard
Member
From: Canada, Toronto
Registered: 2017-07-20
Posts: 19
Website

Re: Server | configurate sudo

ok. Is it possible to change the name of the group?

Offline

#4 2017-07-21 15:24:02

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: Server | configurate sudo

do. not. allow. general. sudo. to. anyone. and. notably. not. groups.

There should probably be no sudo on a server at all, what are you trying to do?

Offline

#5 2017-07-21 15:35:24

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: Server | configurate sudo

If you want to give another group than `wheel` permission to run sudo, you could also add a line for that group to the sudoers file.

Otherwise, if you really want to rename the "traditional" `wheel` group to something else, you will need to modify /etc/sysusers.d/basic.conf (as `wheel` is created by systemd-sysusers). But I'm left wondering why you would want to do that...

seth wrote:

do. not. allow. general. sudo. to. anyone. and. notably. not. groups.

Well, the `wheel` group is pretty much there for exactly that.
More generally, I use groups (among other things) to manage access to different resources for different users. I don't see why exactly this would be wrong.

Last edited by ayekat (2017-07-21 15:36:00)


pkgshackscfgblag

Offline

#6 2017-07-21 15:58:47

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: Server | configurate sudo

Did you notice that he's operating a server?

There's nothing wrong with using groups to manage resource access (that's why they exist) but there's much wrong with global root access to anybody, because that's equivalent to a remote root shell option.
You can prefectly do that on your de-facto single user desktop system (I do that just as well)

I'd suggest to limit the commands available to wheel users to typical maintainance tasks on the machine (eg. restart services etc.), not random stuff - with the rare exception of a team of admins and the necessity to log each actions individually (but not for security reasons, because a root shell would allow to break the log)

Offline

#7 2017-07-21 16:15:26

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: Server | configurate sudo

seth wrote:

Did you notice that he's operating a server?

Ah, I hadn't taken a look at their previous threads, you're right.

But sudo is still OK to be installed on a server, especially because it's there (if multi-user) where you get to appreciate its capability of configuring "who can run what" (per-user/per-group).
And whether you use `wheel` to give fewer users "absolute" power or more users limited plumbing powers is IMHO a matter of taste. I would probably create additional, specific groups for the latter, and reserve `wheel` for the very few (or none) who are allowed to run anything.

That being said, Redgard, would you mind stating your actual goal? Is it a multi-user server or just your personal little VPS?


pkgshackscfgblag

Offline

#8 2017-07-21 18:32:55

Redgard
Member
From: Canada, Toronto
Registered: 2017-07-20
Posts: 19
Website

Re: Server | configurate sudo

The idea was:

 %admin     ALL=(ALL) ALL 

The project is to have a server hosting multiple websites, a game server (minecraft PE) and if possible some bots for the vocal.

there would be 2 user groups:

  • My brother and I - I thought granting the sudo permission to a group named "admin" and disabled the root connection to secure a minimum the server

  • 2 guys from my multigaming team - they would be added to the group "unigen" which has restricted access to the server limited to the folder /srv/http/unigen + some command (like restart)

I think to disallow normal connection to force ssh connection.

thanks for the help,
Red'

Last edited by Redgard (2017-07-21 18:35:27)

Offline

#9 2017-07-21 18:57:37

loqs
Member
Registered: 2014-03-06
Posts: 17,198

Re: Server | configurate sudo

Redgard wrote:

I think to disallow normal connection to force ssh connection.

Normal connection?  Also have you compared the server's ssh configuration with Secure_Shell#Protection particularly if the server came with arch pre installed
so the package / configuration files may be none standard.  Is root access to the server via ssh with a password currently allowed for instance?
Is there any particular reason you want to use the admin group instead of the wheel group?
By convention wheel is the group that denotes those allowed to become root and software configuration tends to follow that convention or be more easily configured to follow it.

Offline

#10 2017-07-22 14:10:21

Redgard
Member
From: Canada, Toronto
Registered: 2017-07-20
Posts: 19
Website

Re: Server | configurate sudo

I wanted to say disable normal authentification (by password) to use a connection/authentification with a SSH key.

For the admin group, the name is more intuitive and I don't know the specification of the group wheel. The goal is also to reuse the same nomenctature than the one used in the team, like this the others users don't loose their points of reference..

Last edited by Redgard (2017-07-22 16:51:24)

Offline

Board footer

Powered by FluxBB