hello list, I've been asked to give someone sudo rights across an entire environment without the benefit of something like puppet or chef or cfengine et al. What I've come up with so far is this: ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=\(ALL\) NOPASSWD: /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers Right now that's just to one host, but I plan on substituting a list of hosts once I get farther along. Problem is, the output hangs on the tee command. Not sure why. Any suggestions? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Tim Dunphy wrote:> hello list, > > I've been asked to give someone sudo rights across an entire environment > without the benefit of something like puppet or chef or cfengine et al. > > What I've come up with so far is this: > > ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=\(ALL\) NOPASSWD: > /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoersBad admin. No coffee for you! First, I would have listed the above as> ssh -t <whatsit> sudo -S /bin/echo "<username> ALL=\(ALL\) NOPASSWD: > /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoersSince doing what you did just told the world a username that they can try to break in with. Second, sudoers should ALWAYS be edited with visudo, and you might do a here script.... <snip> mark
On 07/08/2013 10:32 PM, Tim Dunphy wrote:> hello list, > > I've been asked to give someone sudo rights across an entire environment > without the benefit of something like puppet or chef or cfengine et al.another option is using ldap, so you can specify who can do what in the ldap tree. The IPA project (included in centos as ipa-server and ipa-client) fixes all this for you: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html Having said this, the question to manage an environment without management tools is peculiar. You need to have a way to introduce changes in a safe, tested, repetitive way. Denying you the possibility of doing this is not best practices and you should point this a a risk in your project. -- groet, natxo