eahw5q
Last Updated: February 25, 2016
·
870
· blitline-dev

Sudo and Recipes on Commando.IO

Background

Although Commando.IO has many security precautions in place, you will undoubted come to a point where you want to run a script that has "sudo" in it.

As you probably know, linux based machines have layers of security to protect their users. One of them is shared key protection to prevent unauthorized machines from accessing your machine via SSH. This helps reduce the footprint of malicious people who can get access to your machines.

Another layer of security is the requirement of using sudo to execute certain commands on the system. Sudo (for the most part) 'requires' that you enter a password for the command to execute. This makes running scripts, remotely and in bulk, that include sudo difficult, because there is not interactive terminal with which to enter a password.

So, we are stuck with the need to bypass one of the fundamental security layers of Unix. How can we mitigate this problem while still maintaining some level of security? Any security guy worth their salt would stop reading right now in disgust, because bypassing that security layer will ALWAYS expose you to more risk, you cannot get around that. So if you are OK with accepting that additional risk, the following is how to help mitigate it.

First, lets talk about things you SHOULD NOT DO:

- Don't connect with the root or root level user!
- Don't store your password in ANY file!
- Don't give your user permission to bypass all sudo commands!

Here is what we ARE going to do. We are going to set the linux environment to allow your user to run certain commands with sudo without the need to enter a password for them. For example, one of the fundamental things we are going to need to do is "apt-get install" packages. The amount of malicious things a hacker could do with apt-get is somewhat limited, so even if your user is compromised, he is limited to installing packages on your server.

How do we do this?

You are going to have to log in to each of your machines. If you have not done so already, you should create a user that is NOT root. If you have not already done this, please google "linux create new user". From here on we will refer to this users name as <USER_NAME>

On your linux box, we will use the visudo command. The visudo command opens a text editor like normal, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking "sudo" operations, which may be your only way of obtaining root privileges.

sudo visudo

In the text console that comes up you will add the following to the bottom:

<USER_NAME>    ALL = (ALL) NOPASSWD: /usr/bin/apt-get

(Visudo might open with nano or vim, so you will have to save an exit based on what text editor was used).

NOW, when you run a script that uses something like this:

sudo apt-get install less

The sudo will run without the need for a password and won't error out.

What if I need to add several commands?

Undoubtedly, you will want to do more things than just "apt-get" install stuff. You can add more actions to this file according to what you are sudo-ing in your recipes.

For example, to add the "service" command to start and stop services you can add:

<USER_NAME>    ALL = (ALL) NOPASSWD: /usr/bin/apt-get, /usr/sbin/service restart

Notice that the commands are comma-separated, and can include parameters like "restart"