Sudo configures only wheel, not all login groups

[kevemueller]

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[x] I have searched the existing issues and I'm convinced that mine is new.

Describe the bug
System/Settings/Administration/Secure Shell/Login Group allows specifying the groups that are allowed to log-on to the shell.
System/Settings/Administration/Authentication/Sudo allows specifying sudo usage for administrators with shell access.
The Sudo setting only templates %wheel into the sudoers file, not all groups that are allowed to log-in.

To Reproduce
Steps to reproduce the behavior:

1. Create a group in System/Access/Groups
2. Create a user in System/Access/Users belonging to this group
3. Allow wheel and and the group created in 1 to logon with SSH in System/Settings/Administration/Secure Shell/Login Group
4. Permit Sudo in System/Settings/Administration/Authentication/Sudo
5. Logon via SSH with user created in 2 and perform sudo

The sudo fails, as /usr/local/etc/sudoers only contains wheel.

Expected behavior
Based on the description

Permit sudo usage for administrators with shell access.

One would expect that all groups allowed shell access would be enabled by this switch.
As this is a security related aspect, any expectation should match reality.
Possible ways to fix:

• Fix the description, specify that only wheel will be granted access.
• Fix the description, all groups with shell access will be granted access and fix the templating to include the additional groups.
• Fix the combo and present a selectable dropdown of logon enabled groups, allowing the inclusion of a subset into the sudo group, fix the templating to include the selected ones. Password/No password shall become an additional flag. Adjust the descriptions accordingly.
• Prepare a complex screen with all aspects of sudo editing...

I propose second or third option. If somebody has a use case of allowing additional logon groups, that probably extends to sudo usage as well.

Environment
OPNsense 19.1.5_1 (amd64/OpenSSL)

[fichtner]

One would expect that all groups allowed shell access would be enabled by this switch.

Maybe the confusion is between "shell access" and "shell assigned"? This indeed changed when we started adding shell selection which previously was only for administrators, hence the wheel group attachment.

Other components allow specifying an arbitrary group as well. Should we do the same for sudo?

Cheers,
Franco

[fichtner]

(I'm not comfortable with giving all shell-enabled users sudo capabilities.)

[kevemueller]

Hi Franco, lightning fast as always. ;)
Your last comment rules out option 2, that would leave option 3.
Why arbitrary groups? Do you have a use case for e.g. plugins requiring sudo? If so, is that something you would want to expose in this place as an editable option?
Worse than sudo for everybody is sudo without specifying a command and NOPASSWD. But that would lead to proposed solution 4 and increase the complexity of the fix which is not really core functionality of opnsense.
I trust your judgment on this.

Cheers,
Keve

[fichtner]

Ah ok you mean latching on to "Login Group" in secure shell access? That would work requiring a small text change as well for the sudo help label: Permit sudo usage for administrators with secure shell access. Do you agree? :)

[kevemueller]

Yes, option 2 would take the entries to template from the SSH Login Group, and indeed the help text woud read

Permit sudo usage for administrators with secure shell access specified by Login Group above.

Option 3 is to have an new dropdown with selectable groups. The selected groups would be allowed sudo. Accompanying this dropdown would be the tickmark for NOPASSWD.
Proposed help text:

Permit sudo usage for selected groups.

Sorry, but I was not thinking into the direction of considering sudo for groups without shell access.

[fichtner]

Ok, good. The tiny side effect is that sudo works for console login users as well which can have a shell but not necessarily run through SSH. A little rough around the edges the whole shell and sudo interplay, but I think option 2 would fit neatly.

[fichtner]

@kevemueller due to concerns of security I'm going for loosely coupled. You will find a second option for sudo where you can add an additional group to the sudoers much like SSH Login Group. It is to prevent footshooting in behavioural changes when this is deployed because if we latch on to another setting we might make the whole system less secure by updating.