Sometimes you need to have root access to a server or an application without entering a password.

Think about examples like automatically executing scripts that require sudo permission to run or perhaps you need to install several additional packages and make some changes in configuration files.

It is a lot more convenient if you do not have to enter a password every time at an interactive prompt.

Of course you could give every user the root password instead, but this way no logs will be created when a user performs an operation that requires sudo access.

Therefore, no one can be held accountable if a functionality on the server or app stops working or if a user creates a security issue by lifting security boundaries.

The benefit of having multiple users on the server is that you can have your own home directory for example and it allows you to later revoke the sudo access again.

You can use the co_paswordless_sudo parameter to give all users in your collaborative organisation sudo permissions without entering a password. 


Prerequisites

For now, this parameter only works with CentOS and Ubuntu so if you would like use this functionality, make sure the application uses one of these operating systems.

Security warning

Although giving everyone root level access is convenient practice, it certainly comes with some dangers.

Please be aware that by enabling this parameter, you allow other users on the workspace to read and modify your (perhaps personal and classified) information.

This is fine if no sensitive information is stored on the workspace or maybe if you just want to fully test an application quickly yourself, however make sure your workspace is properly secured against unwanted external access.

If the workspace is compromised, there is no obstacle in the way for an attacker to fully gain control of your workspace.

How the parameter works

When you set the value of the the parameter co_passwordless_sudo to "True" our system creates the file /etc/sudoers.d/sudoers on the underlaying server of your application. Next, a line will be added to the file that gives sudo access to all users in the sudoers group. This access works without a password. 

Then all users are added to the sudoers group. Finally, users are removed from the "wheel" group, to prevent conflict with de parameter co_roles_enable.

When you toggle the co_passwordless_sudo parameter to "False", all users will be removed from this group if they were member of this group before. The default value for this parameter is "False". This means that if you do not set this value, the users will not have passwordless root access by default.


This does not imply that users will not have sudo privileges at all, since the co_roles_enable parameter can still give all users sudo rights (by entering their password) if it is set to "False".

If you would like to know where you can set parameters, please visit this guide: Using parameters.



  • No labels