Public bug reported: Whilst building out a new set of AWS AMIs I have a need to explicitly deny `sudo` access to a subset of users. We are using `cloud-init` for the management of these user resources via the users and groups module[1].
By default, `cloud-init` doesn't assign `sudo` permissions to a user if you leave it out of the `users` dictionary[2]. This is a great start however it does mean that w're relying on an external tool (and their maintainers) for what they think is a suitable default. While we are aligned now, there is a possibility in the future that this may change and leave us in a position where we are inadvertently assigning `sudo` to users that we may not wish to. Fingers crossed our test suite would cover this happening however I'd prefer a belt and braces approach for more confidence. Based on the above, I'd like to propose that providing `sudo: False` in the user dictionary would prevent the user from ever gaining elevated permissions. If I've dug into this correctly, I think this would be a relatively easy feature to implement. It would involve updating `cloudinit/distros/__init__.py#L534` to be the following: ``` # Configure sudo access if 'sudo' in kwargs and kwargs['sudo'] is not False: self.write_sudo_rules(name, kwargs['sudo']) ``` >From my testing this _should_ be enough but open to hear other options. [1]: http://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups [2]: https://github.com/cloud-init/cloud-init/blob/b27f713ae5b4c5b38eda63758dbaeab92be13b9d/cloudinit/config/cc_users_groups.py#L57 ** Affects: cloud-init Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1771468 Title: Allow a way to explicitly disable sudo for a user Status in cloud-init: New Bug description: Whilst building out a new set of AWS AMIs I have a need to explicitly deny `sudo` access to a subset of users. We are using `cloud-init` for the management of these user resources via the users and groups module[1]. By default, `cloud-init` doesn't assign `sudo` permissions to a user if you leave it out of the `users` dictionary[2]. This is a great start however it does mean that w're relying on an external tool (and their maintainers) for what they think is a suitable default. While we are aligned now, there is a possibility in the future that this may change and leave us in a position where we are inadvertently assigning `sudo` to users that we may not wish to. Fingers crossed our test suite would cover this happening however I'd prefer a belt and braces approach for more confidence. Based on the above, I'd like to propose that providing `sudo: False` in the user dictionary would prevent the user from ever gaining elevated permissions. If I've dug into this correctly, I think this would be a relatively easy feature to implement. It would involve updating `cloudinit/distros/__init__.py#L534` to be the following: ``` # Configure sudo access if 'sudo' in kwargs and kwargs['sudo'] is not False: self.write_sudo_rules(name, kwargs['sudo']) ``` From my testing this _should_ be enough but open to hear other options. [1]: http://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups [2]: https://github.com/cloud-init/cloud-init/blob/b27f713ae5b4c5b38eda63758dbaeab92be13b9d/cloudinit/config/cc_users_groups.py#L57 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1771468/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp