2

I have read on the internet that you have to use sudoedit instead of sudo vim. I understand why this is and should be used so you can't just edit root-user files.

However I would like to manage a nologin user (service account that run a single application) let's call her 'nologinuser' with my own non-root account. For this I would need the correct rights in the sudoers file.

I have been in discussion with 2 Linux system managers and both disagree.

Linux admin A says: you should create a sudoedit rule for every config file and a sudo rule for every command.

Linux admin B says: Just create a sudo rule that allows you to read/write/execute everything as that user with "sudo -u nologinuser *"

Personally I agree with admin B because with "sudo -u nologinuser " you can execute every command as that user only, and through this command you also inhered that user his rights because you execute it as that user. This would also not cause a security issue in the ability of changing root-user files because nothing is done as root and it is most flexible.

Who is right, or is there a third better option? Who can tell me the best practice in this. What is the best way to manage a nologin application user as non-root?

Thank you.

C-3Pi-O
  • 21
  • 1

1 Answers1

1

It depends what are your exact needs.

  • Solution A: This is the preferred one when executing commands as a privileged user (maybe root, maybe another account which has more privileges than a standard user). This allows to define a policy describing the exact actions to be allowed, so that this access cannot be abused by the unprivileged user (either maliciously or mistakenly).

  • Solution B: In term of privileges it is strictly equivalent to providing you an interactive shell as nologinuser (with a better audit and password management than actually giving you the target account password).

As per your message, I have the impression that there don't seem any real problem in handing you a shell as nologinuser, flexibility however might be an issue (you don't want to have to call the admin each time you want a new command, option or file added to the sudoers file), and your main concern is that no action should be done as root.

If my understanding of your message is correct, I would go for the solution B.

You are right in your conclusion that allowing user_1 to execute commands as user_2 using sudo does not provide any root privileges to user_1, either directly or indirectly.

People often have the wrong impression that sudo provides super-powers. While its most common use is indeed to run commands as root, it can also be used with the reverse effect to decrease the privileges of a command.

Personally I often use sudo to execute a command as a lower-privileged user (a daemon, a file-transfer utility, etc.). In such cases there is no point in restricting the executable commands, just define which users can run command as this nologinuser and under which conditions (password required or not, environment variables to keep, etc.) and you will be fine.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104