From 11deb714b9dcaffa438ca7ba1e6844e9db42471d Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 31 Dec 2020 17:01:47 +0100 Subject: [PATCH] Optimized security with administrator user --- roles/native-sudo/templates/sudoers | 2 +- roles/native-user-administrator/Readme.md | 2 +- roles/native-user-administrator/files/administrator.conf | 2 ++ roles/native-user-administrator/tasks/main.yml | 6 +++--- roles/system-security/meta/main.yml | 1 + 5 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 roles/native-user-administrator/files/administrator.conf diff --git a/roles/native-sudo/templates/sudoers b/roles/native-sudo/templates/sudoers index 2b5cf0a1..6613f879 100755 --- a/roles/native-sudo/templates/sudoers +++ b/roles/native-sudo/templates/sudoers @@ -85,7 +85,7 @@ root ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command -%sudo ALL=(ALL) ALL +# %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). diff --git a/roles/native-user-administrator/Readme.md b/roles/native-user-administrator/Readme.md index 17fbdcbb..aff009ca 100644 --- a/roles/native-user-administrator/Readme.md +++ b/roles/native-user-administrator/Readme.md @@ -1,4 +1,4 @@ # Role Administrator This role creates an standard administrator user. +This user needs to type in his password before executing sudo. For security reasons it's recommended to use this user instead of the standard root user. -Please consider the concerns in this article https://unix.stackexchange.com/questions/92123/rsync-all-files-of-remote-machine-over-ssh-without-root-user. diff --git a/roles/native-user-administrator/files/administrator.conf b/roles/native-user-administrator/files/administrator.conf new file mode 100644 index 00000000..d25ccd6c --- /dev/null +++ b/roles/native-user-administrator/files/administrator.conf @@ -0,0 +1,2 @@ +Defaults targetpw +administrator ALL=(ALL) ALL diff --git a/roles/native-user-administrator/tasks/main.yml b/roles/native-user-administrator/tasks/main.yml index 4a7098fc..6eea1ee5 100644 --- a/roles/native-user-administrator/tasks/main.yml +++ b/roles/native-user-administrator/tasks/main.yml @@ -14,7 +14,7 @@ group: administrator mode: '0644' -- name: grant administrator sudo rights without password +- name: grant administrator sudo rights with password copy: - content: '%administrator ALL=(ALL) NOPASSWD: ALL' - dest: /etc/sudoers.d/administrator + src: "administrator.conf" + dest: /etc/sudoers.d/administrator.conf diff --git a/roles/system-security/meta/main.yml b/roles/system-security/meta/main.yml index 21d8092b..2da3a1df 100644 --- a/roles/system-security/meta/main.yml +++ b/roles/system-security/meta/main.yml @@ -1,3 +1,4 @@ dependencies: - native-ssh - native-user-alarm +- native-user-administrator