Proper Security for remote contractors and sudo

Success1

• June 06, 2017 11:19

I'm working with lots of contractors and it has become very handy for me to simple create a new cPanel account and let them install an app that we use in our larger system. By creating seperate cPanel accounts I can give our the cPanel account credentials and feel fairly safe their access is limited. However, it seems most of the time when they login they need sudo access. My question if if I add them to the Sudoers group is that getting around the security that I created by makeing their own cPanel account? It is my understanding anyone with Sudo access pretty much has root access.. So if I'm doing thing wrong, what would be the proper way to deal with many remote contractors.

• 

  cPanelMichael

  • June 06, 2017 19:40

  My question if if I add them to the Sudoers group is that getting around the security that I created by makeing their own cPanel account? It is my understanding anyone with Sudo access pretty much has root access..

  
  Hello, Yes, if you have configured sudo on the server and grant sudo access to the user, it essentially gives them root access via SSH to the entire system. You may want to verify what in-particular they need root access for to determine if there's another way they can preform the required action. Thank you.

  0
• 

  Success1

  • June 07, 2017 14:50

  I'm a Windows Admin of 30 years and having to adapt to a Linux world. Yuggg.. So what would be a proper proceedure to give a remote contractor access to setup software packages on our server? This last time was Mattermost Communication Software but there are always new packages that need to be installed. I almost prefer they do the admin sudo work logged into my pc and then I remote to our server as root so I can watch all their security sensitive work. What is the best method to handle this?

  0
• 

  quizknows

  • June 07, 2017 19:16

  sudoers can be configured to only allow certain commands to be run. For example see: Take Control of your Linux | sudoers file: How to with Examples Your definition of "setup software packages" is critical here. You could let them have privileges on certain config files perhaps. However if you grant access to yum (package manager) to install software for example, they could add/remove any software packages on the server. You don't necessarily have to chain logins if you work in 'screen' sessions, you can have 2 users attached to the same screen by using screen -x. I would look perhaps into using sudoers to only let their cpanel users run certain commands with root privileges. Or better yet, just have them work on a dev server, and when you are happy with it, migrate changes to your production server. A small VPS to use as a development/staging server is cheap and a small price to pay for not giving contractors root on your production environment.

  0
• 

  24x7server

  • June 08, 2017 05:02

  Hi, You can analyze what part of their work requires sudo access. Based on this, you have to plan your move. First, I would suggest you given the jailed shell access, so they can login and check whether they are comfortable with it or not.

  0
• 

  Success1

  • June 08, 2017 14:14

  Thanks guys for the help!! I'll push forward.

  0

Please sign in to leave a comment.