Question for linux admins

PaulStat · 8 Jun 2019 at 09:35

Ok so I have a number of Spring Boot based micro services which I am to run/deploy on an RHEL 7 server. Each micro service has it's own local user it will run as and is split into directories such as

/app/services/appa
/app/services/appb
/app/services/appc

Each services local user corresponds to the service name, so you have users appa, appb, appc.

Each micro service start script clones a git repository for app config, grabbing the environment specific (dev, uat, prod) config and placing it in the respective service directory. It also curls the apps executable jar from Artifactory. The script then changes the permissions of all config/jars to 755 and changes the owner/group to that specific local user, then the JVM is launched using the relevant local user.

There is a 1:1 mapping between process and micro service.

Now in order to do the above the user who runs the script (infrastructure support team) must have sudo access. An example noddy script (start/stop scripts exist in the location of the service directory so /app/services/appa for example)

Code:

USER=appa

sudo git clone http://somewhere/config.git

sudo mv -v config/$env/configa .

sudo rm -rf config 

sudo curl http://somwhere/appa.jar -o appa.jar

sudo chmod 755 *
sudo chown appa:appa *

sudo -S su - $USER -c "java -jar appa.jar &"

And given the processes are a 1:1 mapping between user and process the equivalent stop script would be as simple as

Code:

sudo pkill -u appa

Now ISP are saying "you have a lot of sudos", given that the alternative is that they "sudo su - appa" prior to running the start script, I can't see the issue?

Also using my approach

They don't need to know which user to switch to before running the script
They don't have to switch back to their privileged account afterwards.

memyselfandi · 9 Jun 2019 at 11:33

So the infrastructure support team run the above quoted script as their own user which has access to sudo to root during the script?

So your choices would be:
1. As stated strip at the sudo commands and run as the appa user after switching to it.
2. Strip out the sudo commands and call the entire script as root via sudo (making sure that the script can only be edited by root)

The difference being that currently (as written above) and with option 2 the script steps are being run as root not the appa user and in option 1 they would be being run as the appa user.

PaulStat · 9 Jun 2019 at 15:28

memyselfandi said:
So the infrastructure support team run the above quoted script as their own user which has access to sudo to root during the script?

I don't think they sudo to root, but they do have sudo privileges.

memyselfandi said:
So your choices would be:
1. As stated strip at the sudo commands and run as the appa user after switching to it.
2. Strip out the sudo commands and call the entire script as root via sudo (making sure that the script can only be edited by root)

The difference being that currently (as written above) and with option 2 the script steps are being run as root not the appa user and in option 1 they would be being run as the appa user.

Option 2 wouldn't be an option as the JVM has to run as apps for example. I think my main query is why would they want to strip out the sudos and go with option 1? Is there some security risk? Using a script like the one I have above they wouldn't need to know which user they have to su to before running the script?

memyselfandi · 9 Jun 2019 at 22:39

PaulStat said:
I don't think they sudo to root, but they do have sudo privileges.

During the script they are running sudo against each command, that is elevating them to root to run each individual command. The actions are in affect being performed as root (hence the chmod and chown prior to the actual application startup). This can also be seen as whilst the application user is defined at the top of the script it is only ever used at the application startup at the end of it, it is not being referred to in the sudo commands via the -u switch hence the sudo is elevating to be equivalent to root.

Option 2 wouldn't be an option as the JVM has to run as apps for example. I think my main query is why would they want to strip out the sudos and go with option 1? Is there some security risk? Using a script like the one I have above they wouldn't need to know which user they have to su to before running the script?

No, option 2 is still perfectly usable. If you stripped out the sudos and ran the whole script via one sudo command the application would still be being run as the application user as you would still have the su - $user as the application startup in the last line of the script. As written that is the only command in that script that is currently running as the application user. The chown means that the config file, jar file and, in fact, the script, will all be owned by the application user prior to the application being started.

I imagine that the reason they are complaining about the number of sudo commands is that they don't want to define and maintain access to that number of different commands within the sudoers file configuration.

There are some potential security risks depending on how the sudo configuration and the script permissions are set, for example if they've used wildcards in the sudoers configuration, for the chmod and chown, then that can be very bad.

PaulStat · 10 Jun 2019 at 07:37

Right ok thanks that makes it a lot clearer

Cromulent · 12 Jun 2019 at 11:25

Using sudo to download a file using curl and then executing it makes me want to cry for your security team.

memyselfandi · 12 Jun 2019 at 16:33

Depends if "somewhere" is internal or not ... Over the internet *shudder* especially as it's only http as well ...

Don't get me started on all those projects you see which say to install do a curl piped into bash .... Nonononono