← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1771468] [NEW] Allow a way to explicitly disable sudo for a user

 

Public bug reported:

Whilst building out a new set of AWS AMIs I have a need to explicitly
deny `sudo` access to a subset of users. We are using `cloud-init` for
the management of these user resources via the users and groups
module[1]. 

By default, `cloud-init` doesn't assign `sudo` permissions to a user if
you leave it out of the `users` dictionary[2]. This is a great start
however it does mean that w're relying on an external tool (and their
maintainers) for what they think is a suitable default. While we are
aligned now, there is a possibility in the future that this may change
and leave us in a position where we are inadvertently assigning `sudo`
to users that we may not wish to. Fingers crossed our test suite would
cover this happening however I'd prefer a belt and braces approach for
more confidence.

Based on the above, I'd like to propose that providing `sudo: False` in
the user dictionary would prevent the user from ever gaining elevated
permissions.

If I've dug into this correctly, I think this would be a relatively easy
feature to implement. It would involve updating
`cloudinit/distros/__init__.py#L534` to be the following:

```
# Configure sudo access
if 'sudo' in kwargs and kwargs['sudo'] is not False:
  self.write_sudo_rules(name, kwargs['sudo'])
```

>From my testing this _should_ be enough but open to hear other options.

[1]: http://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups
[2]: https://github.com/cloud-init/cloud-init/blob/b27f713ae5b4c5b38eda63758dbaeab92be13b9d/cloudinit/config/cc_users_groups.py#L57

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1771468

Title:
  Allow a way to explicitly disable sudo for a user

Status in cloud-init:
  New

Bug description:
  Whilst building out a new set of AWS AMIs I have a need to explicitly
  deny `sudo` access to a subset of users. We are using `cloud-init` for
  the management of these user resources via the users and groups
  module[1]. 

  By default, `cloud-init` doesn't assign `sudo` permissions to a user if
  you leave it out of the `users` dictionary[2]. This is a great start
  however it does mean that w're relying on an external tool (and their
  maintainers) for what they think is a suitable default. While we are
  aligned now, there is a possibility in the future that this may change
  and leave us in a position where we are inadvertently assigning `sudo`
  to users that we may not wish to. Fingers crossed our test suite would
  cover this happening however I'd prefer a belt and braces approach for
  more confidence.

  Based on the above, I'd like to propose that providing `sudo: False` in
  the user dictionary would prevent the user from ever gaining elevated
  permissions.

  If I've dug into this correctly, I think this would be a relatively easy
  feature to implement. It would involve updating
  `cloudinit/distros/__init__.py#L534` to be the following:

  ```
  # Configure sudo access
  if 'sudo' in kwargs and kwargs['sudo'] is not False:
    self.write_sudo_rules(name, kwargs['sudo'])
  ```

  From my testing this _should_ be enough but open to hear other
  options.

  [1]: http://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups
  [2]: https://github.com/cloud-init/cloud-init/blob/b27f713ae5b4c5b38eda63758dbaeab92be13b9d/cloudinit/config/cc_users_groups.py#L57

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1771468/+subscriptions


Follow ups