...
Also, the serveradmin account is limited in that it can not use sudo. If an attacker compromises the application, sudo is still out of reach.
Finally, in order to easily use Zero Footprint, create serveradmin consistently (same GID's and name) across all your systems.
Add the user and assign a password to that user,
...
Download tscripts,
Code Block | ||
---|---|---|
| ||
sudo su - root cd ~ /etc/sudoers.d/ sudo wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff sudo cp 01_enable_sudo_for_staffchmod o-r /etc/sudoers.d/ rm 01_enable_sudo_for_staff exit |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks its the file for single user access (important in a multi-user system) and validates for syntax errors. sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
...
Code Block | ||
---|---|---|
| ||
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find |
Allow staff Group to sudo
Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes.
Download File Using tscripts
Tip |
---|
This is not ideal way of doing it. Ubuntu may update this file. Instead someone should add here an injection technique using sed. Just be careful of file permissions. |
Download tscripts,
Code Block | ||
---|---|---|
| ||
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks file and validates for syntax errors when saving.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
visudo launches your default editor to a special file. Add the following to the file,
Code Block | ||
---|---|---|
| ||
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL |
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,