воскресенье, 26 января 2014 г.

Provision new server with Puppet: sudo configuration

In the previous part we have created an unprivileged user. Now our next goal is to give him full access to the system. As you know sudo allows to grant to one user to execute commands on behalf of another user. We have to configure sudo to allow our account to run any commands from any hosts on behalf of any user. I see a three different ways to achieve that:
  1. use Puppet's module (for example puppetlabs-sudo) to adjust sudo settings
  2. include our user to special sudo group
  3. configure sudo independently
All of these approaches have their pros and cons:

First way may be more portable across operating systems. It also has documentation and may handle some sophisticated cases. But it also adds extra dependency and IMHO it's overkill in our case.

Second approach is pretty simple: you only need to modify user resource and specify required user's group. But I can't be sure that it will works on other operating systems because we use Ubuntu's specific of sudo configuration. Another point was that I want to run commands under sudo without prompting password. But with this way I'm forced to type my password, because it's how sudo is configured by default.

And at the end, the third approach is to manage all of the things manually. I wouldn't suggest it unless it was pretty easy in our case. Instead of modifying /etc/sudoers file we can put our configuration in file located under /etc/sudoers.d directory. Of course it require us to use sudo which supports such capability. Fortunately, most of modern Linux distros already supplied with version of sudo which has this feature.

What approach to choose it's up to you, but I decided to use the latest. This is the code of my sudo module (my/modules/my/manifests/server/sudo.pp):

server.pp now looks alike:

After applying this changes, login to the server as unprivileged user (coder in my examples) and check your permissions:

coder@somewhere:~$ sudo -l
Matching Defaults entries for coder on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User coder may run the following commands on this host:

That's all for today. We did another one step to setting up our new server. In our next part we'll configure ssh daemon.

I also want to recall that you can find full configuration on my GitHub repository. Our today's changes resides in 82b089ac commit.

Комментариев нет:

Отправить комментарий