Setting Up SUDOers

📘

Note: SUDOers LDAP is an add-on feature

To enable this feature, contact us at [email protected] or via the Intercom chat

Foxpass allows you to manage your SUDOer configuration through our LDAP interface. Generally, Foxpass allows certain users to use sudo on hosts. With this feature, you can restrict or allow sudo commands and options to users or groups on your hosts.

An LDAP SUDOer entry consists of 7 different attributes:

  1. Which users (or groups) the rules apply to
  2. Which hosts the rules apply to
  3. What commands can or cannot be run
  4. Any environment specific options
  5. Any users or groups that commands are allowed or prohibited to "run as"
  6. An optional start or end time when the entry is valid
  7. An 'order' value which establishes which entries take precedence if they have conflicting rules

To read more about SUDOers and the differences between a regular SUDOers configuration and an LDAP configuration, check out the links below:
https://www.sudo.ws/man/1.8.17/sudoers.man.html
https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html

Differences between a regular SUDOers file and LDAP SUDOers

The biggest difference between a regular SUDOers file and an LDAP SUDOers entry is that order isn't guaranteed in LDAP. Order can be achieved in LDAP by specifying an 'order' value. Order is 0 by default, and higher numbers take precedence.

Additionally, there is a 'Defaults' section to set default options that apply to all users. Any variables in the 'Defaults' section will apply globally to all users.

1. Set Up SUDOer Defaults

Enter in any default SUDO options you would like to apply globally in the 'SUDOer Default' section.
Here's a list of some common options:
https://www.sudo.ws/man/1.8.17/sudoers.man.html#SUDOERS_OPTIONS

604

SUDOer defaults

For instance, the defaults pictured above will allow all those with sudo access to run commands without using a password.

2. Create a SUDOer entry

Create an entry and give it a name. By default, and at a minimum, all SUDOer entries must specify a single or set of users (or groups), what hosts the entry applies to, and what commands can be run. If you try removing all of that type's entries, a default of 'ALL' will be set.

🚧

Note: SUDOer Entries are static, not dynamic

This means that if you change a user or group name in Foxpass you will have to manually update the SUDOer entry

1830

Default SUDOer entry

3. Configure the entry

Configure the SUDOer entry by adding settings to the different fields. The enabled/disabled flag is the equivalent of adding a "!" to the front of the setting.

For complex variables, like options, be sure to enter in the entire string. For example, if you'd like to preserve the SSH_AUTH_SOCK variable enter this 'env_keep+=SSH_AUTH_SOCK'.

1825

SUDOer entry

The entry pictured above will allow all members of the "security" group, except for user "richard," to run the ls and cd commands on any host.

4. Test it out

Set up one of your hosts to use our SUDOer option by following the instructions for your operating system at Setting Up SUDOers on Ubuntu or Setting Up SUDOers on CentOS.