New Package: sudo


  • Rebel Alliance Developer Netgate

    It gets requested extremely often, so I went ahead and made a simple-yet-effective package for sudo. It's up now for 2.0.3 and 2.1 (though it looks better on 2.1!)

    Once installed, visit System > sudo, and you can define access rules for users and commands that can be run.

    It could probably still use a little polish, but it gets the job done and does what most people will want, which is to let certain users (or the admin group) run commands as root.

    Suggestions/patches welcome. There is some explanatory text on the page but it only shows up on 2.1 since 2.0.x doesn't support the "info" type package tag.

    More info on the wiki: http://doc.pfsense.org/index.php/Sudo_Package

    Initially I had thought I would use the privilege system, but then it wouldn't have been flexible in allowing users to only run specific commands. It could still be done both ways, but some care would be needed to avoid collisions. For now though, the way the package is written, it worked for me on a few different test VMs.


  • Rebel Alliance Developer Netgate

    FYI- This is obvious if you visit the GUI after installing it, but by default it puts in three rules:

    1. Allow root to use sudo to run anything as root (duh)
    2. Allow admin to use sudo to run anything as root (See above)
    3. Allow anyone in the admins group to run anything as root

    #3 is what most people want from sudo, but others may not like it. It seemed like a good default setting, and it does get applied as soon as the package is installed.


  • Rebel Alliance Developer Netgate

    Fixed an issue with the i386 install today, it should be good for everyone again. Feedback would be appreciated, thanks!



  • The install bug report got me to actually try this. It is installed and working on a bunch of systems. Now I can add individual user names, put them in the admins group, then they can ssh in, get a command line and

    sudo -s
    

    to get a decent looking shell as root, if needed.
    The admin (root) password on each system no longer needs to be remembered (= constantly looked up when going to different systems) and shared with multiple people.
    So far, the defaults work fine for me, it's IT admin staff who need "all or nothing" access. I haven't played with giving users access to only particular commands…
    It's a good thing - thanks.