Page MenuHomePhabricator

Puppet should actively purge sudo and access rights not enumerated by the admins module
Closed, ResolvedPublic

Description

I just ran across a (non-dangerous) case where a user had sudo rights on a box that were not puppetized. These rights were left over from some sort of hand-configuration that predated the admins module.

Now that everyone is happy and comfortable with the way 'admins' is working, we should extend it to actively purge anything not defined there to prevent such leaks.

Related Objects

StatusSubtypeAssignedTask
Resolvedchasemp
Resolvedchasemp
ResolvedDzahn
ResolvedRobH
ResolvedRobH
ResolvedRobH
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
Resolvedcscott
ResolvedDzahn
ResolvedRobH
Resolvedhoo
ResolvedDzahn
ResolvedDzahn
ResolvedRobH
ResolvedMglaser
Resolved DarTar
ResolvedAmire80
ResolvedDzahn
ResolvedArielGlenn
Resolvedleila
ResolvedDzahn
ResolvedNuria
ResolvedDzahn

Event Timeline

Andrew created this task.Feb 6 2015, 7:22 PM
Andrew raised the priority of this task from to High.
Andrew updated the task description. (Show Details)
Andrew added a project: acl*sre-team.
Andrew added a subscriber: Andrew.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 6 2015, 7:22 PM
Andrew set Security to None.Feb 6 2015, 7:23 PM
Andrew added a subscriber: chasemp.
Dzahn awarded a token.Feb 14 2015, 1:00 AM
chasemp closed this task as Resolved.Mar 11 2015, 8:00 PM
chasemp claimed this task.

Any user specific sudo rights will be /etc/sudoers.d/$user on the end system. I recently enabled account cleanup logic (i.e. remove any account not in an actively managed group) and included logic to mv a users sudo file to their home dir before it is archived.

I feel like this:

  • preserves what privs they had in their archive
  • fits in with our overall user cleanup strategy

https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/admin/files/enforce-users-groups.sh;b86473f362196ae364b7d4956fa8d35bbdfa7044$74-75