From time to time, a person may require
sudo rights to a particular server for a limited time. If it’s a Linux host, we can use the
at scheduler and a
/etc/sudoers.d conf frag to automate this. Essentially, we use
at to automatically remove the conf frag when the user’s access time is up, and thus their
sudo rights are automatically revoked.
Here’s a basic example.
Setup a sudoers conf frag in
/etc/sudoers.d, and ensure you
chmod 0440 it. Let me say that again, ENSURE YOU CHMOD 0440 IT! If you don’t,
sudo will flip out and cease to work. You may also like to run a cursory validation of the file too e.g.
visudo -c -f /etc/sudoers.d/username-tempsudo.
$ cat /etc/sudoers.d/username-tempsudo username targetserver=(ALL) /bin/su - applmgr
atd is running
$ service atd start Starting atd [ OK ]
And then simply schedule a task to
rm the conf frag:
$ at 1830 10.06.15 at> rm /etc/sudoers.d/username-tempsudo at> [EOT] job 3 at 2015-06-10 18:30
at tends towards the monstrously moronic MM/DD/(CC)YY format, but you can use DD.MM.(CC)YY.
Where it says [EOT], that’s a Ctrl+D
You can see queued jobs with
atq, and remove them with
atrm [job number]
Categories: Lunix Lunacy