Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudo: add GUI option and template #990

Closed
AdSchellevis opened this issue Jun 4, 2016 · 4 comments
Closed

sudo: add GUI option and template #990

AdSchellevis opened this issue Jun 4, 2016 · 4 comments
Assignees
@fichtner
Labels
feature Adding new functionality
Milestone
17.1

Comments

@AdSchellevis
Copy link
Member

From https://forum.opnsense.org/index.php?topic=3151

Up for debate, we could easily add an extra acl and check for uid 0 or "wheel-shell-user" access in here https://github.com/opnsense/core/blob/master/src/etc/inc/auth.inc#L431-L436 .

It provides admins with the possibility to create "real" admin users which can do practical the same as root.
@AdSchellevis AdSchellevis added the feature Adding new functionality label Jun 4, 2016
@fichtner
Copy link
Member

fichtner commented Jun 4, 2016

Cloning the root account has no security benefit and people have been annoyed by the console menu in other accounts, which still requires super user rights to run. ;)

Wheel group is added to admins already, but that requires "su" and the root account password. Instead, sudo can be set up to allow wheel group to run super user commands, so "sudo su" will either prompt for the account's own password or not at all. Execution will bring up the console menu as a root-like user and problem fixed...

This requires a sudoers template with the options (a) off (default) (b) on, requires password (c) on, requires no password.

Also, when the root account is disabled we should scramble the system password on each boot, because we cannot truly disable (nologin) because that gets rid of the root menu.

Long story short, there should only ever be one root and people must use sudo if they want to wheel, it's really best practice for any UNIX-like system. The GUI is not affected by this enhancement.

@fichtner fichtner added this to the 16.7 milestone Jun 4, 2016
@fichtner fichtner self-assigned this Jun 4, 2016
@AdSchellevis
Copy link
Member Author

I kind of forgot about wheel already being assigned to the admin user, lets keep things like they are now, which probably is easy enough to handle for most people.

@fichtner
Copy link
Member

fichtner commented Jun 7, 2016

reopening for sudo settings...

@fichtner fichtner reopened this Jun 7, 2016
@fichtner fichtner modified the milestones: Future, 16.7, 17.1 Jun 15, 2016
@fichtner fichtner changed the title Add ACL for new root type shell user (wheel group) sudo: add GUI option and template Jun 15, 2016
@fichtner
Copy link
Member

/usr/local/etc/sudoers.d/ seems perfect to make this finally happen :)

fichtner added a commit that referenced this issue Aug 28, 2016
@fichtner
system: add sudo configure option to permit admins access; closes #990
9ccc52d 
This is especially useful for "sudo su" in manually created admins
to gain access to the console menu without compromising the root
password.

(cherry picked from commit 273692e)
(cherry picked from commit 96ffce7)
(cherry picked from commit 686f6a9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
feature Adding new functionality
Milestone
17.1
Development

No branches or pull requests
2 participants
@fichtner @AdSchellevis