Menu Home

Time limited sudo rights using at

From time to time, a person may require sudo rights to a particular server for a limited time. If it’s a Linux host, we can use the at scheduler and a /etc/sudoers.d conf frag to automate this. Essentially, we use at to automatically remove the conf frag when the user’s access time is up, and thus their sudo rights are automatically revoked.

Here’s a basic example.

Setup a sudoers conf frag in /etc/sudoers.d, and ensure you chmod 0440 it. Let me say that again, ENSURE YOU CHMOD 0440 IT! If you don’t, sudo will flip out and cease to work. You may also like to run a cursory validation of the file too e.g. visudo -c -f /etc/sudoers.d/username-tempsudo.

$ cat /etc/sudoers.d/username-tempsudo
username targetserver=(ALL)       /bin/su - applmgr

Make sure atd is running

$ service atd start
Starting atd                                [  OK  ]

And then simply schedule a task to rm the conf frag:

$ at 1830 10.06.15
at> rm /etc/sudoers.d/username-tempsudo
at> [EOT]
job 3 at 2015-06-10 18:30

Annoyingly, at tends towards the monstrously moronic MM/DD/(CC)YY format, but you can use DD.MM.(CC)YY.

Where it says [EOT], that’s a Ctrl+D

You can see queued jobs with atq, and remove them with atrm [job number]

Categories: Lunix Lunacy