Page History

...

Outlined here are the minimal security steps the Bonsa Framework uses in server builds. Given that these account names are on the Internet you may want to change them. However, this may be greatly mitigated with RSA SSH key based authentication.

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

Manual Method

If you want to create the file manually,

# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,

Naming Convention

You may want to understand the naming convention used here if you want to build your own. Otherwise, the examples are self-explanatory and have not encountered any issues.

...

sudo passwd brian.hitch
Enter new Unix password:
Reenter new Unix password:
passwd: password updated successfully
sudo passwd john.cassaday
sudo passwd warren.ellis

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

Manual Method

If you want to create the file manually,

# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,

...

sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup

Create regular Users

If you would like to add regular users without giving them sudo access then follow below instructions

Create regular group

sudo addgroup support

Create users and add them to group "support"

sudo useradd -d /home/tom.hitch -m -g support -u 2500 -c "Support Tom Hitch" -s /bin/bash tom.hitch
sudo useradd -d /home/rohan.cassaday -m -g support -u 2501 -c "Support Rohan Cassaday" -s /bin/bash rohan.cassaday
sudo useradd -d /home/dennis.ellis -m -g support -u 2502 -c "Support Dennis Ellis" -s /bin/bash dennis.ellis

Granting Non-staff User to use sudo with Certain Commands

...

bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

Manual Method

If you want to create the file manually,

# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,