...
Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,
Group | Users |
---|---|
4000 | RedClient1 = 4000 |
4010 | BlueClient1 = 4010 BlueClient2 = 4011 |
4020 | GreenClient1 = 4020 GreenClient2 = 4021 GreenClient3 = 4022 |
Next, we add to the Staff users the following groups,
...
Code Block | ||
---|---|---|
| ||
cd ~ wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/ rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
...
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,
Warning |
---|
At this point it is important to log out and log in with your staff account to continue any new work. This will allow for a proper audit trail of the system from this point forward. |
...
remotebackup - User to create remote backups. The assigned UID will be 3001.
Code Block | ||
---|---|---|
| ||
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup |
...
Code Block | ||
---|---|---|
| ||
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find |
Allow staff Group to sudo
...
Download File Using tscripts
Tip |
---|
This is not ideal way of doing it. Ubuntu may update this file. Instead someone should add here an injection technique using sed. Just be careful of file permissions. |
...
Code Block | ||
---|---|---|
| ||
cd ~ wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/ rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks itsfile and validates for syntax errors when saving. sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
...
Code Block | ||
---|---|---|
| ||
# Members of the staff group may gain root privileges. %staff ALL=(ALL) ALL |
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,