www.bonsaiframework.com
Page tree

Versions Compared

Old Version 28

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 29

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,

GroupUsers
4000

RedClient1 = 4000
RedClient2 = 4001
RedClient3 = 4002
RedClient5 = 4003

4010BlueClient1 = 4010
BlueClient2 = 4011
4020GreenClient1 = 4020
GreenClient2 = 4021
GreenClient3 = 4022

Next, we add to the Staff users the following groups,

...

Code Block
languagebash
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

 


Manual Method

If you want to create the file manually,

...

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,

 


Warning

At this point it is important to log out and log in with your staff account to continue any new work. This will allow for a proper audit trail of the system from this point forward.

...

remotebackup - User to create remote backups. The assigned UID will be 3001.

 


Code Block
languagebash
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup

...

Code Block
languagebash
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find

 


Allow staff Group to sudo

...

Download File Using tscripts

 


Tip

This is not ideal way of doing it. Ubuntu may update this file. Instead someone should add here an injection technique using sed. Just be careful of file permissions.

...

Code Block
languagebash
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

 


Manual Method

If you want to create the file manually,

Code Block
languagebash
# Locks itsfile and validates for syntax errors when saving.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

...

Code Block
languagebash
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

 

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,