Summary:
Sudo is a program for Unix-like computer operating systems that lets users run programs using the security privileges of another user (by default, the superuser).
More Info:
Commands used with Central Generation |
Commands used with Remote Generation |
|
General Purpose |
ls rm cp |
ls rm cp |
Set File/Owner Permissions |
chmod chown |
chmod chown |
Apache and PEM |
openssl | |
GSK |
gsk7cmd gsk7capicmd gsk8capicmd gsk8capicmd_64 ikeycmd |
|
iPlanet |
certutil pk12util |
certutil pk12util |
JKS |
keytool | |
PKCS#12 |
(Not Applicable) |
When sudo is enabled, every command executed remotely on a device are prefixed with “sudo” to have the command execute in a privileged security context. The sudoers file governs which commands and which users are allowed. It can also specify whether or not the user must enter their password when prompted, an optional configuration that is supported by Trust Protection Platform.
Example In this example sudoer file, venafi is the user name that Trust Protection Platform has been configured to use, /opt/pki is the target directory, /tmp is the temporary directory, and the commands are being executed via sudo without having to specify a password.
This sudoer example represents a least privilege security best practice. However, you should give serious consideration to using a password:
# GSK, JKS, PEM, PKCS#12 central gen
venafi ALL= NOPASSWD:/bin/ls -ld /opt/pki*
venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /opt/pki/*
venafi ALL= NOPASSWD:/bin/cp /opt/pki/* /tmp/*
venafi ALL= NOPASSWD:/bin/cp -pf /opt/pki/* /opt/pki/*
venafi ALL= NOPASSWD:/bin/cp /tmp/* /tmp/*
venafi ALL= NOPASSWD:/bin/rm -rf /opt/pki/*.bak
venafi ALL= NOPASSWD:/bin/rm -rf /tmp/*
# for setting file owner/group and/or permissions
venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /opt/pki/*
venafi ALL= NOPASSWD:/bin/chown * /opt/pki/*
venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /tmp/*
venafi ALL= NOPASSWD:/bin/chown * /tmp/*
# iPlanet
venafi ALL= NOPASSWD:/bin/ls -ld /usr/bin/certutil, /bin/ls -ld /usr/bin/pk12util
venafi ALL= NOPASSWD:/usr/bin/certutil *, /usr/bin/pk12util *
venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /tmp/*
venafi ALL= NOPASSWD:/bin/ls -ld /tmp*
# PEM remote gen
venafi ALL= NOPASSWD:/usr/bin/openssl *
# JKS remote gen
venafi ALL= NOPASSWD:/usr/bin/keytool *
# GSK remote gen
venafi ALL= NOPASSWD:SETENV:/bin/sh -c ikeycmd *
venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7cmd *
venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7capicmd *
venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd *
venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd_64 *
For additional information and resources regarding sudo, visit the following websites:
https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
https://docs.venafi.com/Docs/17.1/TopNav/Content/Permissions/c-permissions-drivers-sudo-about.php
Comments