[SATLUG] Help defining group and role permissions for programmers

Matthew matthew at infodancer.org
Fri Mar 17 18:36:01 CDT 2017

On 03/17/2017 10:14 AM, mbedded wrote:
> Hello all,
> I've been asked by a friend to help better secure his CentOS server(s).Specifically, the current task at hand is to try and enforce group memberships and role permissions. Right now, the rascals are just su/sudo as 'root' to do the things they need to and obviously this is not secure.
Disable their ability to su to root, first of all.  Then configure sudo
to allow access to only the specific commands you want them to have
access to.
> There's some programmers/developers writing software and they need the ability to:1) start/stop web server
Configure sudo to allow the command to do this as one of the allowed
commands, and make sure that sudo is configured to only allow those
specific commands rather than a general use of "root".  Make sure the
programmer group cannot modify the script that starts and stops the web
> 2) install and update development libraries and utilities.
This needs a more useful definition of what they actually need to do. 
Install software on the server that runs as their own user account? 
Trivial and they can probably can already do it.  Does it need to be run
by the web server?  Harder, and they might need to modify the webserver
configuration too.  Install using the package manager to the whole
system?  If you give them that and they can install unsigned packages
they can get root.

I think the canonical answer is that they should do their development on
a local web server they have root for (ie, their development platform)
and coordinate with an admin for installing software on a secure
webserver.  That said, you could make the configuration files for the
webserver group-writable and owned by the programmer/developer group. 
Combined with the above, they could modify the webserver configuration
and restart the webserver.  The details will depend on which webserver, etc.

Depending on how the configuration is set up, you might be able to get
away with allowing them to modify just one file that is included by the
official files, so they can't change most of the configuration, at least
not easily.

If they don't have desktops that can run the webserver you use, I'd be
tempted to give them each a separate install of the webserver, owned by
their own user account, using a specific non-standard and non-secure
port, and let the admin update the "official" webserver configuration in
collaboration with the developer.
> Defining the group 'programmer' is not the problem. I don't know how to go about setting permissions for the role 'developer'. 
> Does anybody have some experience in setting up a role with these kinds of privileges? 
Debian systems have a predefined "staff" account that might be more
standard than "developer" or "programmer".   Not sure if CentOS has
anything similar.

More information about the SATLUG mailing list