There are several sudo-like tools (calife, op, super, …) — see How do I run a command as the system administrator (root) — but you could spend your life on unix systems without encountering them (they've all been displaced by sudo). In practice, if you need to call scripts as root, either arrange for all your machines to have passwordless sudo, or to allow ssh logins as root. There's not much of a security difference between the two: either way, the script must have all the credentials necessary to reach the root account.
If you only want your scripts to be able to execute specific commands, use specific entries for these commands in /etc/sudoers
, or specific keys with a command=
line in ~root/.ssh/authorized_keys
.
You can specify the allowed commands with sudo, you don't have to allow unlimited access, e.g.
username ALL = NOPASSWD : /usr/bin/apt-get , /usr/bin/aptitude
This would allow username to run sudo apt-get
and sudo aptitude
without any password but would not allow any other commands.
You can also use packagekit combined with PolicyKit for some more finer level of control than sudo.
Allowing users to install/remove packages can be a risk. They can pretty easily render a system nonfunctional just by uninstalling necessary software like libc6, dpkg, rpm etc. Installing arbitrary software from the defined archives may allow attackers to install outdated or exploitable software and gain root access. The main question in my opinion is how much do you trust your employees?
Of course your admin team could also start using a configuration management system like puppet, chef or look into spacewalk to manage your system. This would allow them to configure and manage the system from a central system.
Best Answer
Solution
groupadd -r updaters
The-r
option reserves a system group, i.e. 0 - 100.useradd -G updaters john
,useradd -G updaters sally
. You can also use the user alias section to acheive this. See Sudoer File Examples for a fully functioning User Alias Section. In my opinion, doing it the way I've done adds security, as the group actually exists in the system.Cmnd_Alias UPDATE_CMDS = /usr/bin/aptitude, /usr/bin/dpkg, /usr/bin/apt-get up*, /usr/bin/apt-get install
dpkg
is needed forapt-get
. See AskUbuntu: Adding apt-get to sudoers file.apt-get update
andapt-get upgrade
are both needed. Using a glob pattern achieves both.aptitude
may be used to replaceapt-get
if thedpkg
behavior noted above is undesired. If you don't want users in theupdaters
group to install off the internet with a mouse click...Now we must add our updates into our sudoers file. Issue:
visudo
,and:The default sudoers file from Ubuntu (with adds from above):
If you decide to add
unattended-upgrade
, read the Debian Documentation on it. and usewhich unattended-upgrade
to determine the path to add it toUPDATE_CMDS
. See Problem Section.Update
After even more research, I ran across a Blogpost: Everything you need to know about conffiles: configuration files managed by dpkg. The problem is not in apt variants, the problem is in the underlying
dpkg
implementation. Quoting:Knowing this, as the blog points out, we can create
/etc/apt/apt.conf.d/local
, and add (example):This should then bypass the
Z
option all together.Problem
Unattended Upgrades are usually a bad idea, because the OS may install items that were unexpected, for example new kernels, or updated drivers that will break a functioning driver, added to the idea that you're giving the option to a user. The other issue here is that since
apt-get
uses argument passing to decide which option to perform, one must pass each desired option in the Command Alias created. By adding each argument separately, we remove the ability to use thedist-upgrade
argument. Like you, I assumed one could not pass an argument in the sudoers file, and while researching I too, learned something new.References
nixCraft - Howto: Linux Add User To Group
Aptitude - Ubuntu Documentation
Ubuntu Forums - Thread: HowTO: Sudoers Configuration
Ubuntu Documentation - Installing Software
AskUbuntu - What is the difference between apt-get update and upgrade?