HPE Community
Operating System - Linux
1830935 Members
2240 Online
110017 Solutions
New Discussion

Sudo access for specific period

 
jitjose
Advisor

‎08-10-2012 01:55 AM

‎08-10-2012 01:55 AM

Sudo access for specific period

Hi Freinds,

I am looking for configuing sudo access for user within a time interval.

E.g. if i want to give one user sudo access for ten days - start date to end date is it possible configuring with the sudoers file.

 

Thanks in advance.

 

0 Kudos
Reply
3 REPLIES 3
Matti_Kurkela
Honored Contributor

‎08-10-2012 03:27 AM

‎08-10-2012 03:27 AM

Re: Sudo access for specific period

No, the sudoers file has no time-based configuration settings at all.

 

You might create an extra group for this user only, assign the required sudo access to that group, and then schedule a cron/at job to remove the user from that group at the time the access is to be revoked.

 

For example:

groupadd sudogrp

usermod -a -G sudogrp <username>

visudo

----------

%sudogrp ALL = (<targetuser>) <whatever commands you want to allow>

----------

 

Then schedule "gpasswd -d <username> sudogrp" to run at the time the access is supposed to end. You might want to add something like "su -c 'kill -HUP -1' <username>" to the scheduled job to force the user to log out at that time, so the user cannot prolong the access just by staying logged in.

 

Of course, if your "sudo access" actually means access to the root account, the user can remove the scheduled job or set up something else that will allow him/her get root access even after the sudo access has been revoked. A setuid root copy of /bin/bash hidden away in a non-obvious location would be an easy way to do that.

MK
Reply
jitjose
Advisor

‎08-10-2012 04:39 AM

‎08-10-2012 04:39 AM

Re: Sudo access for specific period

Thanks MK,

 

When I mention the username in the below command, the sudo access doesnt seem to work.

If I replace the targetusername with ALL, the user can do sudo to root.

If there are different users needing root access at different times, then how will it work.

%sudogrp ALL=(<targetusername>)   ALL

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-10-2012 06:00 AM

‎08-10-2012 06:00 AM

Re: Sudo access for specific period

Well, (<targetusername>) is supposed to be the username the user wants to run as, i.e. (root) in your case.

 

As you did not explicitly specify that you meant root access in your original post, I tried to write the sudo rule in a generic form. But if you are giving root access, then (ALL) makes no difference.

 

Note that if you want, you can give the user access to a particular user account only: you won't have to always give root access for just that. For example, something like this sudoers rule is very common in our database servers:

%dbadmins ALL = (oracle) ALL

 

With this rule, the DBAs (in the dbadmins group) can use "sudo -u oracle -i" to become the oracle user, or "sudo -u oracle <some command>" if they only need to execute just one command as the oracle user.

 

Different users needing root access at different times should not be a problem: just schedule the command that removes the user from the group separately for each user, according to the time the access is supposed to end. You can also schedule the command to add someone to the group, if you want.

 

In this way, the group becomes a convenient "handle" to a specific sudo access rule (or a set of rules). Add a user to the group and s/he will have the specified access; remove the user from the group to revoke that access.

 

A group can have many members, just one member, or no members at all at any given time.

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.