Follow

Info: About Using Sudo

Summary:

Sudo is a program for Unix-like computer operating systems that lets users run programs using the security privileges of another user (by default, the superuser).

More Info:

Sudo commands executed by supported Venafi drivers

 

Commands used with Central Generation

Commands used with Remote Generation

General Purpose

     ls

     rm

     cp

     ls

     rm

     cp

Set File/Owner Permissions

     chmod

     chown

     chmod
     chown

Apache and PEM

       openssl

GSK

 

     gsk7cmd

     gsk7capicmd

     gsk8capicmd

     gsk8capicmd_64

     ikeycmd

iPlanet

     certutil

     pk12util

     certutil

     pk12util

JKS

       keytool

PKCS#12

       (Not Applicable)

When sudo is enabled, every command executed remotely on a device are prefixed with “sudo” to have the command execute in a privileged security context. The sudoers file governs which commands and which users are allowed. It can also specify whether or not the user must enter their password when prompted, an optional configuration that is supported by Trust Protection Platform.

Example  In this example sudoer file, venafi is the user name that Trust Protection Platform has been configured to use, /opt/pki is the target directory, /tmp is the temporary directory, and the commands are being executed via sudo without having to specify a password.

This sudoer example represents a least privilege security best practice. However, you should give serious consideration to using a password:

# GSK, JKS, PEM, PKCS#12 central gen

venafi ALL= NOPASSWD:/bin/ls -ld /opt/pki*

venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /opt/pki/*

venafi ALL= NOPASSWD:/bin/cp /opt/pki/* /tmp/*

venafi ALL= NOPASSWD:/bin/cp -pf /opt/pki/* /opt/pki/*

venafi ALL= NOPASSWD:/bin/cp /tmp/* /tmp/*

venafi ALL= NOPASSWD:/bin/rm -rf /opt/pki/*.bak

venafi ALL= NOPASSWD:/bin/rm -rf /tmp/*

# for setting file owner/group and/or permissions

venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /opt/pki/*

venafi ALL= NOPASSWD:/bin/chown * /opt/pki/*

venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /tmp/*

venafi ALL= NOPASSWD:/bin/chown * /tmp/*

# iPlanet

venafi ALL= NOPASSWD:/bin/ls -ld /usr/bin/certutil, /bin/ls -ld /usr/bin/pk12util

venafi ALL= NOPASSWD:/usr/bin/certutil *, /usr/bin/pk12util *

venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /tmp/*

venafi ALL= NOPASSWD:/bin/ls -ld /tmp*

# PEM remote gen

venafi ALL= NOPASSWD:/usr/bin/openssl *

# JKS remote gen

venafi ALL= NOPASSWD:/usr/bin/keytool *

# GSK remote gen

venafi ALL= NOPASSWD:SETENV:/bin/sh -c ikeycmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7cmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7capicmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd_64 *

For additional information and resources regarding sudo, visit the following websites:

http://www.sudo.ws/

https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html

https://docs.venafi.com/Docs/17.1/TopNav/Content/Permissions/c-permissions-drivers-sudo-about.php

Was this article helpful?
1 out of 1 found this helpful

Comments