On 21.04.2022 21:08, Axel Braun wrote:
Hi,
following issue: A system user (tryton) is created to run a ERP server. The user is a no-login user,
What exactly does it mean?
and he does not belong to any group.
This is technically impossible. Every user belongs to at least one primary group.
Should this user be able to run 'sudo'?
How? This user cannot login, correct? User needs interactive session where sudo can request password. How this users obtains this interactive session?
In openSUSE (Leap) it is possible Under e.g. Ubuntu this is prohibited ("not part of the sudo group")
What is best practice here? Is it a risk if a no-login user user can run sudo commands without further (group) authorisation?
How exactly is it less secure than "normal" user (whatever it means) running sudo without group authorization? In the model where you need to provide target user password anyway there is no additional security in restricting sudo to specific group. If you do not know target password you cannot use sudo, if you know target password you can use su or simply log in as target user bypassing sudo. Ubuntu asks users to identify themselves in which case without additional restrictions any user would be able to use sudo.