How can I use docker without sudo?

Question

spyderdyne

Asked: 2016-05-11 14:38:35 +0800 CST2016-05-11 14:38:35 +0800 CST 2016-05-11 14:38:35 +0800 CST

Editing /etc/sudoers to allow Winbind Group members to Only sudo to 1 Local User

772

I have multiple Ubuntu Linux hosts that need to connect to Active Directory for user management (unfortunately an actual LDAP server was not an option here...) and have configured Winbind to handle authentication, and my %sudoers group entry works fine:

## Allow AD members of the service group restricted user access to that account
%sudoers ALL=(ALL:ALL) NOPASSWD:ALL

I have allowed password authentication in the ssh config and have added the following entry to my sudoers file for the account:

%service ALL=(service:service) NOPASSWD:ALL

This doesn't even find the group even though the sudoers group and the service groups are at the same level in the directory tree on the AD server. When I do this:

%domain.local\\service ALL=(ALL:ALL) NOPASSWD:ALL

...members of the service group are able to log in and have full sudo rights, including root which is unacceptable, and already covered by the sudoers group and entry. Alternatively when I do this:

%domain.local\\service ALL=(service:service) NOPASSWD:ALL

...members are unable to sudo to any user. As for the service user, here is the /etc/passwd entry for the service user:

service:x:1001:16777230::/opt/service:/bin/bash

Per the Sudoers Man Page this last entry should probably work, but for some reason it doesn't. Also, the %service should also probably cover both local and AD provided membership but it doesn't seem to. When I create this user since there is already a group in the directory server named service here is how I am creating the service user account:

useradd -d /opt/service -g service service

Here is the output of sudo -l for a member of the group:

[user.test@server ~]$ sudo -l
Matching Defaults entries for user.test on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user.test may run the following commands on this host:
    (service : service) NOPASSWD: /opt/service

What am i missing here?

1 Answers

Voted

spyderdyne · Answer 1 · 2016-05-12T10:21:36+08:00

Best Answer

spyderdyne

2016-05-12T10:21:36+08:002016-05-12T10:21:36+08:00

I found the solution. We needed to set the login shell and path to the sudoers entry for the service user's home like so:

%domain.local\\service ALL=(service) NOPASSWD:/bin/bash, /opt/service/*

Now we are able to enter the following to become the service user:

$ sudo -i -u service
$ whoami
service
$ pwd
/opt/service

1

Editing /etc/sudoers to allow Winbind Group members to Only sudo to 1 Local User

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?