VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
5 Replies Last post: Oct 27, 2009 12:12 PM by Texiwill  

SUDO Configuration posted: Sep 16, 2009 7:58 AM

Click to view Stuarty1874's profile Enthusiast
Stuarty1874
72 posts since
Nov 13, 2007

I need to configure SUDO to allow two sets of specific users to log-on to the Service Console.

They are ESX Server Administrator and ID Management.

I've got a handle on how I can allow the ESX Server Administrator access, but I'm unsure of how I give the minimum amounts of rights to the ID Administrator.

I'm thinking that the process I'd like to use for the ID Administrator is to only allow them to run a specific "UserAdd or UserRemove" bash script.

Can anyone offer any advice on how I should configure SUDO to allow the ID Administrator group to only run a specific script/scripts.

I'm looking to learn so I'll carry on doing some research in the meantime.

Any advice is much appreciated.

Thanks in advance.


Tags: sudo, security

Re: SUDO Configuration

1. Sep 20, 2009 2:17 PM in response to: Stuarty1874
Click to view Texiwill's profile Guru
Texiwill
10,212 posts since
Jan 13, 2004
Hello,

Moved to the Security Forum. THere are a couple of things you can do....

Defaults syslog=auth
Cmnd_Alias SHELLCMD=!/bin/*sh,!/usr/*/*sh,!/usr/*/*/*sh
Cmnd_Alias SUDOERS=!/bin/* /etc/sudoers*,!/usr/* /etc/sudoers*,!/usr/*/* /etc/sudoers*
Cmnd_Alias SUCMD=!/bin/su,!/bin/* /bin/su*,!/usr/* /bin/su*,!/usr/*/* /bin/su*
Cmnd_Alias USERCMD=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod
Cmnd_Alias NOUSERCMD=!/usr/sbin/useradd,!/usr/sbin/userdel,!/usr/sbin/usermod
%wheel ALL=/*bin/*,/usr/*bin/*,SHELLCMD,SUDOERS,SUCMD,NOUSERCMD
idmgmt ALL=USERCMD

You can easily add in capabilities to all idmgmt to manipulate group's as well. But these should work for you. Note, that we have disable su capability as well as the ability to edit sudoers for anyone in %wheel, mainly because su is not audited. You may need to allow visudo by someone to make the necessary changes.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SUDO Configuration

2. Sep 21, 2009 6:55 PM in response to: Texiwill
Click to view Stuarty1874's profile Enthusiast
Stuarty1874
72 posts since
Nov 13, 2007

Hi Ed, thanks for the response.

I've attached a copy of my SUDOERS file. I appreciate that there is a quite a lot in here but my organization is asking for a standard configuration across many platforms and we therefore need to include the aliases.

One of the things that "they" are asking for is for me to use the noexec parameter and I'm having a little difficulty making sure I comply. Can you offer me any advice? In the meantime I'll continue with my research.


Attachments:

Re: SUDO Configuration

3. Sep 28, 2009 11:15 AM in response to: Stuarty1874
Click to view Texiwill's profile Guru
Texiwill
10,212 posts since
Jan 13, 2004
Hello,

Considering that ESX 3.5 does not understand noexec that may be difficult. Not sure about vSphere but I have a feeling it does.... Run sudo -V | grep "dummy exec" to determine if the support is compiled in. Remember NOEXEC may or may not protect you, it depends on how programs were compiled or not. It is not a cure all but will protect against shell escapes from things such as VI. So if it is there, I would use it.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SUDO Configuration

4. Oct 27, 2009 7:56 AM in response to: Texiwill
Click to view mcrampton's profile Novice
mcrampton
14 posts since
Apr 23, 2009
Hi Texiwill, can you point me to any documentation indicating noexec will not work on ESX 3.5? We have a meeting today regarding this and some security exploits in Unix and Linux OS's which it is supposed to fix. If I can provide documentation that it's not supported in ESX 3.5 it will go a long way towards making my life easier. Thanks.

Re: SUDO Configuration

5. Oct 27, 2009 12:12 PM in response to: mcrampton
Click to view Texiwill's profile Guru
Texiwill
10,212 posts since
Jan 13, 2004
Hello,

On a stock 3.5 system the command 'sudo -V | grep "dummy exec"' returns a blank line. THis implies that noexec is not supported within this version of sudo. Also, if you do a 'man sudoers' you will also find no reference to NOEXEC. Remember, 3.5 SC is really RHEL3 U8 and a 2.4 kernel. It is a bit old....

If you modify the stock 3.5 system to add your own sudo, you can get the noexec feature. Not something I really do.

Instead I would investigate the use of the hytrust appliance, or use the VIC as much as possible. That way the issue does not come up much.

NOEXEC for example can be used to prevent calls to shells from within VI, the way I do this is NOT allow VI or any editor to be used. Instead you copy the files, modify them, then copy them back in. There are quite a few ways to get what you need from sudo.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities