If you wish to open the file in nano use below command: sudo EDITOR=nano visudo If you open the file with a text editor, a syntax error will result in losing the sudo access. This command checks the file after editing, and if there is a syntax error it will not save the changes. When making changes to the sudoers file always use visudo. Open the /etc/sudoers file with the visudo command: sudo visudo The files created inside this directory will be included in the sudoers file You can configure the user sudo access by modifying the sudoers file or by adding a configuration file to the /etc/sudoers.d directory. The sudoers file contains information that determines a user’s and group’s sudo privileges. However, in certain scenarios, such as when running automated scripts, there may be a need to configure the sudoers file to permit specific users to execute sudo commands without requiring a password input. This extra layer of security is the recommended approach for conferring sudo privileges upon users. In contrast, on RedHat-based distributions such as CentOS and Fedora, the sudo group is often named wheel.Įvery member of this group is required to input their password before executing a sudo command. On Debian, Ubuntu, and related distributions, individuals in the sudo group are endowed with sudo privileges. Typically, to grant a user sudo access, you must include them in the sudo group as specified in the sudoers file. If you frequently work on the command line, you'll find sudo to be a command you use regularly. The sudo command provides a means for trusted users to execute programs as another user, typically the root user. This, I believe is a good balance of ease of automation and security.Passwordless 'Sudo' : How to Run Sudo Command Without Password Let's talk about 'Sudo' Note that for simplicity, the playbook, imported task and passwords file all reside in the same directory. # Add a directory inside the root user's home for proof of concept # Point to the passwords file relative to where the playbook file resides Then import this task into any playbooks that require escalated privileges: - name: Playbook Name Save to a file separate from any playbooks, as this can be imported to all playbooks. Then create a task partial to import the sudo passwords as the ansible_become_pass fact. ~/my-ansible-project $ ln -s /path/to/vault/sudo_passwords.yamlīe sure to keep this file out of version control However, I just symlink, since my encrypted volume is only open when I need to do work. # Decrypt when you're using itĪnsible-vault decrypt sudo_passwords.yamlĪnsible-vault encrypt sudo_passwords.yamlįor this part, you will need the encryption password. You could also keep this file in the root of the ansible project itself, and use ansible-vault to encrypt/decrypt in place. I keep the raw secrets file as a plaintext file in an encrypted volume, then add a symlink to a file in the root of your ansible project. There are options where you can keep this file, but here is my strategy. You'd think that this would make automation difficult, having to enter a password each time, but this is where the ansible_become_pass host variable comes in useful.Ĭreate a yaml file somewhere and create a dictionary of hosts to sudo passwords: sudo_passwords: If a bad actor gains access to one of your servers and it's possible to sudo without a password, then they can also sudo su and become the root user.Īlways have a user password that is required to run escalated privileges
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |