Differences

This shows you the differences between two versions of the page.

--- policies:sudoers [2023/01/18 07:50]
hans [Package (yum/apt) installation]
+++ policies:sudoers [2024/07/15 09:26] (current)
hans [Sudoer Mess BoilerplatesTemplate]
@@ Line 2: / Line 2: @@
 This page has been created to share philosophy and policy regarding ICS sudo and provide sudo alternatives.  If you don't find the answer you are looking for here, or if you find an incorrect or incomplete answer, send mail to helpdesk@ics.uci.edu
+====== Take-away ======
+The big thing that everyone takes away from this document is that sudo root should be used in one of these three situations:
+# To start or stop a service on a privileged port or via the systemctl command
+# Install packages via apt or yum.
+# To collect information or make configuration changes to the system that is not available to another user such as apache or postgres.
+If your use of sudo usage doesn't comport to one of these three uses, continue reading or reach out to helpdesk@ics.uci.edu and we'll suggest convenient alternatives that your whole team can use.
 ===== Sudoers =====
@@ Line 9: / Line 19: @@
 ==== Philosophy ====
-The system operations team strives to strike balance between allowing researcher to self manage their computing resources and  maintaining maximum stability, conformity, and security of the systems we manage.  We acknowledge that it can take a little bit longer to reach out to helpdesk@ics.uci.edu, but it also allows us to provide updates safely, securely and uniformly across the entire ICS fleet.  Our team makes best effort to avoid the role of the gatekeeper or to be a blocker.  At the same time, we want to limit the any critical problems, such as a broken package dependency, to derail your work when your team does have a deadline.
+The system operations team strives to strike a balance between allowing researchers to self manage their computing resources and  maintaining maximum stability, conformity, and security of the systems we manage.  We acknowledge that it can take a little bit longer to reach out to helpdesk@ics.uci.edu, but it also allows us to provide updates safely, securely and uniformly across the entire ICS fleet.  Our team makes best effort to avoid the role of the gatekeeper or to be a blocker.  At the same time, we want to limit any critical problems, such as a broken package dependency, to derail your work when your team does have a deadline.
 === Delegation of Authority ===
@@ Line 16: / Line 26: @@
   * Senior team members have sudo access to update or make changes to the system.
-  * Other team members may have sudo access to commands that ephemoral or informational.
+  * Other team members may have sudo access to commands that are ephemeral or informational.
-We ask researchers for points of contact, typically one or two senior grad student that have familiarity with all the group projects.  These team members will be called on by the systems operations group in the expanded capacities:
+We ask researchers for points of contact, typically one or two senior grad students that have familiarity with all the group projects.  These team members will be called on by the systems operations group in the expanded capacities:
   - coordinate system maintenance for the group
@@ Line 32: / Line 42: @@
 == Update Alternatives Contention ==
-Multiple versions of programs, such as Java or Python, are present on most linux distributions.  On Ubuntu, switching the default java or python version is as simple as installing a package that runs the [[https://manpages.ubuntu.com/manpages/trusty/man8/update-alternatives.8.html|update-alternatives]] command.   An change to the default version that isn't carefully considered and discussed ahead of time can disrupt projects and will be time-consuming to detect.
+Multiple versions of programs, such as Java or Python, are present on most linux distributions.  On Ubuntu, switching the default java or python version is as simple as installing a package that runs the [[https://manpages.ubuntu.com/manpages/trusty/man8/update-alternatives.8.html|update-alternatives]] command.   A change to the default version that isn't carefully considered and discussed ahead of time can disrupt projects and will be time-consuming to detect.
 == Broken Package Dependencies ===
-The yum and apt package managers on occasion break and it can be difficult, if not impossible, to resolve non-sensical package dependencies.  To reduce risk of problems we ask that package updates privileges be restricted to a small number of users.
+The yum and apt package managers on occasion break and it can be difficult, if not impossible, to resolve nonsensical package dependencies.  To reduce risk of problems we ask that package updates privileges be restricted to a small number of users.
 ==== Usage  ====
@@ Line 44: / Line 54: @@
 sudo -l
 </code>
+=== Filesystem (e.g. mkdir, mv, cp, etc) ===
+Using the sudo command to create or edit files in this space is typically unnecessary and can be counterproductive  for your team.  Using root privilege escalation to create and edit files will block team members that do not have root privilege (ICS follows the [[https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege|principal of least privilege]]).
+Alternatives:
+== Local Storage ==
+All ICS systems have world or group writable local storage.   Every system is going to have /tmp and /scratch directories.  Many research directories will also have local drives mounted beneath /drv or /srv.   Many other systems have undeployed storage.   If you have questions about what is available on a particular workstation, please send mail to helpdesk@ics.uci.edu
+== Group accounts ==
+If you need to share storage with your team, use your [[accounts:gsu]].   It works the same way as root sudo, but avoids the requirement that the entire team has root sudo.  The group account can use all the same local storage as well as, on many systems, NFS storage.
 === Universal Student Access ===
@@ Line 53: / Line 77: @@
 If you feel that you require access to a command that is not on the list, please email helpdesk@ics.uci.edu.
-In that cases that you have been granted sudo access to a host, please consider what it means to have that privilege.
+In the cases that you have been granted sudo access to a host, please consider what it means to have that privilege.
   * Broken or corrupt OS and system software will be repaired by total reinstallation.
@@ Line 62: / Line 86: @@
   * Make no changes that would prevent [[services:puppet|ICS Puppet]] from updating the configuration of the machine.
   * The machines are monitored ([[services:monitoring:grafana|grafana]]and [[services:monitoring:icinga2|]]).  Alerts will trigger a response.
 ===== Sudo Alternatives =====
+==== Using Code in Openlab ====
+We've seen a lot of students trying to install code.  This isn't going to work because sudo, but also because the X Server isn't near fast enough.
+Alternative 1:   Use [[https://wiki.ics.uci.edu/doku.php/virtual_environments:jupyterhub|Jupyterhub@ICS]]:  https://hub.ics.uci.edu
+Alternative 2:  Run VSCode locally but run programs on Openlab using  "[[https://code.visualstudio.com/docs/remote/ssh|Visual Studio Code Remote - SSH]]".
+Alternative 3:  [[https://wiki.ics.uci.edu/doku.php/accounts:mapping_network_drive|Map your network drive]] and run code locally on your computer.
 ==== Package (yum/apt) installation ====
-It would not be useful to allow every body on the openlab to add or remove packages as they saw fit so we don't give out sudo permission for that.  However, that doesn't mean you that the package you want' isn't available or that you cannot install your own packages.
+It would not be useful to allow everybody on the openlab to add or remove packages as they saw fit so we don't give out sudo permission for that.  However, that doesn't mean that the package you want' isn't available or that you cannot install your own packages.
 === Modules ===
@@ Line 73: / Line 108: @@
 **An alternative to update-alternatives**
-Natively, CentOS and Ubuntu may not provide the latest program versions.  To address this, ICS Computing Support will provide locally compiled software as part of the [[software:software_library|ICS Software Libraray]].
+Natively, CentOS and Ubuntu may not provide the latest program versions.  To address this, ICS Computing Support will provide locally compiled software as part of the [[software:software_library|ICS Software Library]].
 You may add these packages to your environment by invoking the [[commands:modules|module command]].
@@ Line 93: / Line 128: @@
 </code>
-See which versions of gcc are avaialble:
+See which versions of gcc are available:
 <code>
 module avail gcc
@@ Line 104: / Line 139: @@
 On instruction and research systems, several versions of python are provided.  These may be invoked by specifying the longer version:  e.g. /usr/bin/python3.7
-See what is available locall by using [[https://www.howtogeek.com/195207/use-tab-completion-to-type-commands-faster-on-any-operating-system/|shell tab completion]].
+See what is available locally by using [[https://www.howtogeek.com/195207/use-tab-completion-to-type-commands-faster-on-any-operating-system/|shell tab completion]].
-You can also wee which versions of python are availe by using wildcards:
+You can also see which versions of python are available by using wildcards:
 <code>
@@ Line 116: / Line 151: @@
 Most python and anaconda packages do not require root privilege to install.  See the following URL for instructions on installing Python libraries, including how to upgrade pip:
-See [[https://wiki.ics.uci.edu/doku.php/software:personal_library#python3]]
+See [[https://wiki.ics.uci.edu/doku.php/software:python]]
@@ Line 122: / Line 157: @@
 The MySQL and PostgreSL servers run on unprivileged ports and it is best practice to run these as a non-root user.  Please see this page for running [[[[services:database:mysql:unprivileged-users|MySQL as an unprivileged user]].  Please request a [[accounts:gsu|group account]] from helpdesk@ics.uci.edu if your team would like to share ownership of a MySQL server.
+=== NodeJS ===
+See [[https://wiki.ics.uci.edu/doku.php/software:nodejs]]
 ==== Compiling Software from Source ====
@@ Line 147: / Line 186: @@
 </code>
-Order is important, if you want your personal library searched BEFORE system libs reverse the rder:
+Order is important, if you want your personal library searched BEFORE system libs reverse the order:
 <code>
 export LD_LIBRARYPATH=$HOME/lib:$LD_LIBRARY_PATH
@@ Line 161: / Line 200: @@
   * lsblk:  information and attached block devices (e.g. disks).
-  * lsscsi:  information and devices on the scsi buss
+  * lsscsi:  information and devices on the scsi bus
   * cat /proc/meminfo:  information about system memory
   * cat /proc/cpuinfo:  information about the system cpus
@@ Line 169: / Line 208: @@
 ==== firewalls ====
-ICS managed computing employs[[network:firewall:iptables|iptables]].  Ports above 1024 on managed instructional and research Linux computing should be open to campus and VPN addresses.  Please send request for restricted ports, ports less than 1024, and other special requests to helpdesk@ics.uci.edu.
+ICS managed computing employs[[network:firewall:iptables|iptables]].  Ports above 1024 on managed instructional and research Linux computing should be open to campus and VPN addresses.  Please send requests for restricted ports, ports less than 1024, and other special requests to helpdesk@ics.uci.edu.
 **Note:**  Some local sudo users may have privilege to run /usr/sbin/iptables to open and close ports but any changes will be ephemeral.  Please send a request to helpdesk@ics.uci.edu to make them permanent.
@@ Line 182: / Line 221: @@
 Sudo shell access is not allowed, it would allow users to circumvent the policies we have in place to protect security.
-===== Sudoer Template =====
+===== Sudoer Mess BoilerplatesTemplate =====
+=== General===
+<code>
 Our system reported that you ran the sudo command recently.  I going to take this opportunity to share this wiki page that describes our sudoers policy, reasoning, and potential alternatives:
@@ Line 189: / Line 231: @@
 This page doesn't require you to login but links from this page may require ICS credentials to login.
+</code>
+=== Unnecessary Sudo Invocations ===
+You are receiving this message because you recently tried running a command with sudo.
+The command invoked does not require sudo privilege and can be run as your own user.  Please let us know if there is a specific reason you felt that it was necessary to invoke via sudo.   If we can figure out a non-sudo way to accomplish the same thing I will add it to our sudoers page:
+  https://wiki.ics.uci.edu/doku.php/policies:sudoers
+Typically, the sudo command should be used exclusively to invoke commands not available to an  ordinary user such as  installing a package (apt or yum) or running a service on a privileged port (less than 1024).
+=== Installation Alternatives ===
+You are receiving this message because you recently tried running a command with sudo on an ICS managed server.
+The following page details several alternative methods to accomplish what you were trying to do with the sudo command:
+    https://wiki.ics.uci.edu/doku.php/policies:sudoers
+When using `pip install`, please use the --user switch to install into space that you own.
+  pip install --user nltk
+  pip install --user requests
+If you do not see a command in your path, please look at ICS modules with `module avail`:
+  https://wiki.ics.uci.edu/doku.php/commands:modules
+Module ex.
+  $ module avail go
+  ------------ /pkg/modules/modulefiles ------------
+  go/1.12.1 go/1.13.1 go/1.15.6 go/1.8.3  go/1.9
+  circinus-3 09:00:45 ~
+  $ module load go
+  circinus-3 09:00:47 ~
+  $ which go
+  /pkg/go/1.15.6/bin/go
+You can determine what programs are available in your path using the which command:
+  circinus-3:~# which wget
+  /usr/bin/wget
+  circinus-3:~# which valgrind
+  /usr/bin/valgrind
+  circinus-3:~#  which go
+  /pkg/go/1.15.6/bin/go
+=== Disk Usage ===
+Hello <Name>,
+We recorded the recent sudo activity on your account on <DATE>:
+The command recorded was "sudo /bin/du -h". Were you trying to get dis usage on the host? Were you just trying to look at your home directory but made a mistake? Please let us know what you were trying to do and maybe I could help.
+Thank you and have a great day,
+=== Shell and service invocations ===
+Our system reported that you ran the sudo command recently.  I'm going to take this opportunity to share this wiki page that describes our sudoers policy, reasoning, and potential alternatives:
+  [[https://wiki.ics.uci.edu/doku.php/policies:sudoers]]
+This page doesn't require you to login but links from this page may require ICS credentials to login.
+Some of the key points:
+  * Services on unprivileged ports (above 1024) should not run with sudo
+  * Sudo shell invocations are usuaully unecessary, we can find alternatives.
+  * Software not available via package managers may be installed in user space.
+ Please let us know if there is a specific challenge that caused you to use sudo and we can help figure out an alternative way to accomplish the same thing.
+===== Troubleshooting =====
+=== Q.  sudo: error initializing audit plugin sudoers_audit ===
+**Symptoms:** Sudo runs fine as root user but produces this error when run as a non-root user.
+<code>
+sudo: error initializing audit plugin sudoers_audit
+</code>
+**Cause:** User does not exist