USAGE for gen_sudoers.sh v1.0.2:
gen_sudoers.sh {-fs|-ls} [-y [-f]] [-L <log>] [-D]
or
gen_sudoers.sh [-h|-man]
DESCRIPTION:
This script generates a sudoers file for the OS user that
owns /p4/common, which is expected to be the same user that the
Perforce Helix Core service runs as (typically 'perforce').
By default, the sudoers file is generated for review. If the '-y'
option is specified, the newly generated files is installed as
the live sudoers file by copying to /etc/sudoers.d/<OSUSER> and
adjusting permissions to 0400.
If '-fs' (full sudo) is specified, a one-line sudoers file is
generated that looks something like this:
perforce ALL=(ALL) NOPASSWD: ALL
If '-ls' is specified, a limited sudoers file is generated
granting only necessary access to the perforce user.
If the sudoers file already exits, it will not be updated unless
'-f' (force) is proivided.
OPTIONS:
-fs Specify that a full sudo file is to be generated.
The '-fs' or '-ls' option must be specified.
-ls Specify that limited sudoers file is to be generated.
The '-fs' or '-ls' option must be specified.
-y This is confirmation to install the generated sudoers as the live
sudoers file.
-f Specify '-f' to overwite an existing limited sudoers file,
/etc/sudoers.d/<OSUSER>
-L <log>
Specify the path to a log file, or the special value 'off' to disable
logging. By default, all output (stdout and stderr) goes to:
/home/perforce/gen_sudoers.<Datestamp>.log
NOTE: This script is self-logging. That is, output displayed on the screen
is simultaneously captured in the log file.
-D Enable bash 'set -x' extreme debugging verbosity.
HELP OPTIONS:
-h Display short help message
-man Display man-style help message
EXAMPLES:
EXAMPLE 1: Generate a limited sudoers file for review.
cd /p4/sdp/Server/Unix/setup
./gen_sudoers.sh -ls
EXAMPLE 2: Generate a limited sudoers file and install it.
cd /p4/sdp/Server/Unix/setup
./gen_sudoers.sh -ls -y
EXAMPLE 3: Generate a limited sudoers file and install it, replacing an
existing one.
cd /p4/sdp/Server/Unix/setup
./gen_sudoers.sh -ls -f -y
EXAMPLE 4: Generate a full sudoers file and install it, replacing an
cd /p4/sdp/Server/Unix/setup
./gen_sudoers.sh -fs -f -y
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #1 | 30681 | C. Thomas Tyler |
Added gen_sudoers.sh script to generate a sudoers file for perforce OSUSER. This generates a more secure limited sudoers file. Previously, adding a sudoers entry for the OSUSER (usually 'perforce') was done only by the Helix Installer. In the Helix Installer variant, a single "one-size-filts-all" sudoers file was used, with the following characteristics: * The instances for Helix Core services were referenced with a '*' wildcard to match all SDP instances, which has since been determined to introduce a vulnerability. In this new script, the wildcard is replaced with separate entries for each SDP instance. * There were entries for all known paths of utilities like lslocks, setcap, and getcap. This new script generates the correct path valid for the current machine. With this change, the functionality will be available in the SDP directly. This new gen_sudoers.sh script can be called by mkdirs.sh directly to update the sudoers file each time a new SDP instance is added, if the new '-fs' (full sudo) or '-ls' (limited sudoers) entries are used. There is no change to the default behavior of mkdirs.sh; only a change if new options are utilized. This script comes with docs and examples for the new script as well as doc changes for mkdirs.sh. (Also added missing documentation for the '-no_enable' option). Further changes needed: * Add doc reference in SDP_Guide.Unix.adoc |