should a no-login user be allowed to start a sudo session?
Hi, following issue: A system user (tryton) is created to run a ERP server. The user is a no-login user, and he does not belong to any group. Should this user be able to run 'sudo'? In openSUSE (Leap) it is possible Under e.g. Ubuntu this is prohibited ("not part of the sudo group") What is best practice here? Is it a risk if a no-login user user can run sudo commands without further (group) authorisation? Thanks Axel
On 21.04.2022 21:08, Axel Braun wrote:
Hi,
following issue: A system user (tryton) is created to run a ERP server. The user is a no-login user,
What exactly does it mean?
and he does not belong to any group.
This is technically impossible. Every user belongs to at least one primary group.
Should this user be able to run 'sudo'?
How? This user cannot login, correct? User needs interactive session where sudo can request password. How this users obtains this interactive session?
In openSUSE (Leap) it is possible Under e.g. Ubuntu this is prohibited ("not part of the sudo group")
What is best practice here? Is it a risk if a no-login user user can run sudo commands without further (group) authorisation?
How exactly is it less secure than "normal" user (whatever it means) running sudo without group authorization? In the model where you need to provide target user password anyway there is no additional security in restricting sudo to specific group. If you do not know target password you cannot use sudo, if you know target password you can use su or simply log in as target user bypassing sudo. Ubuntu asks users to identify themselves in which case without additional restrictions any user would be able to use sudo.
On 2022-04-21 20:22, Andrei Borzenkov wrote:
On 21.04.2022 21:08, Axel Braun wrote:
Hi,
following issue: A system user (tryton) is created to run a ERP server. The user is a no-login user,
What exactly does it mean?
Maybe: /etc/passwd: colord:x:493:490:user for colord:/var/lib/colord:/sbin/nologin
and he does not belong to any group.
This is technically impossible. Every user belongs to at least one primary group.
Should this user be able to run 'sudo'?
How? This user cannot login, correct? User needs interactive session where sudo can request password. How this users obtains this interactive session?
But maybe a job (cronjob) could use sudo to run something, and sudo be configured to not ask for a password. Example: /etc/passwd: gdm:x:50:109:Gnome Display Manager daemon:/var/lib/gdm:/bin/false /etc/sudoers: # cer Telcontar = (gdm) NOPASSWD: /usr/bin/dbus-launch gnome-appearance-properties I don't remember if this worked. And anyway, it is not gdm using sudo. -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
participants (3)
-
Andrei Borzenkov
-
Axel Braun
-
Carlos E. R.