Am 08.07.2013 um 23:02 schrieb m.roth@5-cent.us:
Tim Dunphy wrote:
hello list,
I've been asked to give someone sudo rights across an entire environment without the benefit of something like puppet or chef or cfengine et al.
What I've come up with so far is this:
ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=(ALL) NOPASSWD: /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers
Bad admin. No coffee for you!
First, I would have listed the above as
ssh -t <whatsit> sudo -S /bin/echo "<username> ALL=(ALL) NOPASSWD: /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers
Since doing what you did just told the world a username that they can try to break in with.
Second, sudoers should ALWAYS be edited with visudo, and you might do a here script....
<snip>
also check 'man sudoers' for 'Including other files from within sudoers'
placing an add-on file without touching the dist files to much is my suggested best practice.
-- LF