Page History

...

Also, the serveradmin account is limited in that it can not use sudo. If an attacker compromises the application, sudo is still out of reach.

Finally, in order to easily use Zero Footprint, create serveradmin consistently (same GID's and name) across all your systems.

Add the user and assign a password to that user,

...

Download tscripts,

sudo su - root
cd ~
/etc/sudoers.d/
sudo wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staffchmod o-r /etc/sudoers.d/
rm 01_enable_sudo_for_staff
exit

Manual Method

If you want to create the file manually,

# Locks its the file for single user access (important in a multi-user system) and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

...

bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

Manual Method

If you want to create the file manually,

# Locks file and validates for syntax errors when saving.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,