[CentOS] change sudoers remotely

Leon Fauster leonfauster at googlemail.com
Mon Jul 8 21:21:06 UTC 2013


Am 08.07.2013 um 23:02 schrieb m.roth at 5-cent.us:
> Tim Dunphy wrote:
>> hello list,
>> 
>> I've been asked to give someone sudo rights across an entire environment
>> without the benefit of something like puppet or chef or cfengine et al.
>> 
>> What I've come up with so far is this:
>> 
>> ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=\(ALL\) NOPASSWD:
>> /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers
> 
> Bad admin. No coffee for you!
> 
> First, I would have listed the above as
>> ssh -t <whatsit> sudo -S /bin/echo "<username> ALL=\(ALL\) NOPASSWD:
>> /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers
> 
> Since doing what you did just told the world a username that they can try
> to break in with.
> 
> Second, sudoers should ALWAYS be edited with visudo, and you might do a
> here script....
> <snip>



also check 'man sudoers' for 'Including other files from within sudoers'

placing an add-on file without touching the dist files to much is my suggested best practice.

--
LF





More information about the CentOS mailing list