Privileged permissions (sudo)
Sudo (su "do") allows giving certain users (or groups of users) the ability to run dedicated commands as root, while logging all commands and arguments.
Currently, there is no automated process for adding sudo rules to a Swisscom RHEL VM. Therefore, you have to order sudo rules through a service request. For example, for application restarts. After submitting the service request, the requested sudo rules will be reviewed and eventually approved.
How to order sudo configuration
- Please first think carefully if you really need the sudo rules! With the Temp Admin state and the created user custadm you get a user with almost all sudo rights!
- Moreover, check if not the Fine-grained user access concept fulfills your request.
For sudo rules to be accepted by the compliance check, the checksum of the sudo file must be entered in the compliance check's allow list. The sudo file is then accepted by the compliance check on all Swisscom RHEL VMs. If you really need sudo rules, use the procedure below to order the sudo rules:
Create the sudo file. Please make sure to start the filename for the sudo file with
05_*
This is to make sure that the settings (e.g.NOPASSWD
) of05_*
file are always applied and not overwritten from another sudo file./etc/sudoers.d/05_customer_application
# # Manually added sudo rules for the customer application # # Note: # - no commands with * # # Date: dd.mm.yyyy # Requestor: surname.name@swisscom.com # Requestor OU: XX-XX-XX-XX # <application_user> ALL= <command1>, \ <command2>, \ <commandN>
Get the checksum for the newly created file. Comments are not part of the checksum, so you can edit the comments later and the checksum stays the same.
checkmate --checksum /etc/sudoers.d/05_customer_application
Open a service request with following details:
- Explanation why you need this sudo commands
- List of servers (VM name and/or FQDN)
- File which needs to be in the allow list
- Checksum of the sudo file
The operation team then reviews the rules and adds the checksum to the allow list.
As soon as the checksum is in the allow list, you can distribute the sudo file to other Swisscom RHEL VMs. As long as the checksum stays the same, the compliance check will accept it.
Workaround for output redirections with sudo
Output redirects to a file with sudo will not work if the user with sudo privileges has no write permissions for the file
$ sudo echo 'rouser custsnmp priv .1' >> /etc/snmp/snmpd.conf
-bash: /etc/snmp/snmpd.conf: Permission denied
The problem can be avoided with the tee
command:
sudo echo 'rouser custsnmp priv .1' | sudo tee -a /etc/snmp/snmpd.conf