Help:Sudo policies

From Wikitech
(Redirected from Help:Sudo Policies)
Jump to navigation Jump to search
Please help improve the content of this page: https://phabricator.wikimedia.org/T233669

This page describes policies for using sudo on Cloud VPS.

Overview

Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In the context of Cloud VPS, a sudo policy is a set of rules to limit the usage of the sudo command within instances of a project. It can be used to specifically limit some users.

Add yourself as a sudoer

When you attempt to run a sudo command, e.g. sudo su, you may get the response username is not allowed to run sudo on instance-name. This incident will be reported. If you don't require restricting access on the project, and you're a projectadmin, then you can add yourself as a sudoer via https://horizon.wikimedia.org.

  1. Click on Access > Project Sudo for a given project
  2. Click on Add Rule OR Modify Rule to change an existing sudoers rule set
    • Rule Name - enter whatever you’d like, e.g., “default”
    • Commands - enter ALL into the textfield or add more complex sudoers rules
    • Options - leave it blank
    • Users - check specific user(s) or the special [Any project member] value

Changes take effect immediately.

After logging in to your instance, test sudo by typing sudo echo 'it works'. If "it works" is echoed back to you, then you will retain sudo access for the remainder of your session.

Note that passwordless sudo access is now enabled. If you are prompted for a password do not enter your Developer account/Wikitech password. The password prompt is a sign that the instance you are using is having difficulty communicating with the LDAP directory server.

Workaround for sudo -u

Some installation guides (notably for the OSM tile server) ask you to run "sudo -u someuser" commands.

These commands will fail with "Sorry, user X is not allowed to execute 'Y' as someuser on Z.eqiad1.wikimedia.cloud"

The workaround is to first run: sudo su && su someuser

Then run the next command normally.

An alternate solution is to run the sudo under sudo!

$ sudo -u www-data whoami
[sudo] password for bd808: ^C
$ sudo -- sudo -u www-data whoami
www-data

Why does this work? The first sudo changes your effective user id to 0 (root). Then the second sudo is executed which changes the effective user id again and then executes the desired command.


Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support
Stay aware of critical changes and plans
Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)