Sudo @ ICS

This page has been created to share policy regarding ICS sudoers and provide sudo alternatives. If you don't find the answer you are looking for here, or if you find an incorrect or incomplete ansiwer, send mail to helpdesk@ics.uci.edu

Some ICS hosts are cordoned into a security sandbox and users have access to suders commands. See OS support levels

Run the following command for a list of sudo commands available to you:

sudo -l

If you feel that you require access to a comman that is not on the list, please email helpdesk@ics.uci.edu.

In that cases that you have been granted sudo access to a host, please consider what it means to have that privilege.

• Broken or corrupt OS and system software will be repaired by total reinstallation.
• Backup of local storage is your responsibility. Mount your ICS Home Directory and copy important data there.
• Accounts are managed centrally by helpdesk@ics.uci.edu.
• Request permanent changes to the OS and system software from helpdesk@ics.uci.edu.
• Make no changes that would interfere with the ICS Computing Support group to manage the computer
• Make no changes that would prevent ICS Puppet from updating the configuration of the machine.
• The machines are monitored (grafanaand Icinga2@ics). Alerts will trigger a response.

It would not be useful to allow every body on the openlab to add or remove packages as they saw fit so we don't give out sudo permission for that. However, that doesn't mean you that the package you want' isn't available or that you cannot install your own packages.

Natively, CentOS and Ubuntu may not provide the latest program versions. To address this, ICS Computing Support will provide locally compiled software as part of the ICS Software Libraray.

You may add these packages to your environment by invoking the module command.

Add slurm to your path:

module load slurm

Add julia/1.6.0 to your path:

module load julia/1.6.0

See which versions of gcc are avaialble:

module avail gcc

Most python and anaconda packages do not require root privilege to install. See the following URL for instructions on installing Python libraries, including how to upgrade pip:

See https://wiki.ics.uci.edu/doku.php/software:personal_library#python3

Software source can be compiled and installed to writable storage by any user without SUDO.

Use the –prefix option to rehome the package

./configure --prefix=$HOME/pkg/pkg_name/version 

See this link for a little bit more information.

sudo privilege is not required to search areas of the filesystem that belong to you or public spaces. Due to our security policies many areas of the filesystem are not going to be accessible to root. Please reach out to helpdesk@ics.uci.edu if you feel you need to search an area of the file system that you do not have access to.

Set your LD_LIBRARY_PATH And LD_RUN_PATH instead. For example:

Add a lib directory in your home directory to be search when running programs (bash/zsh)

export LD_LIBRARYPATH=$LD_LIBRARY_PATH:$HOME/lib

Order is important, if you want your personal library searched BEFORE system libs reverse the rder:

export LD_LIBRARYPATH=$HOME/lib:$LD_LIBRARY_PATH

Loading modules will automatically add necessary libraries to your LD_LIBRARY_PATH or LD_RUN_PATH.

This command will return some information for non-root users, although the information may be incomplete.

You may also run the following commands to get additional system information:

• lsblk: information and attached block devices (e.g. disks).
• lsscsi: information and devices on the scsi buss
• cat /proc/meminfo: information about system memory
• cat /proc/cpuinfo: information about the system cpus
• top/htop: broad information about processes and resource consumption
• dmesg: startup messages

ICS managed computing employsiptables. Ports above 1024 on managed instructional and research Linux computing should be open to campus and VPN addresses. Please send request for restricted ports, ports less than 1024, and other special requests to helpdesk@ics.uci.edu.

Note: Some local sudo users may have privilege to run /usr/sbin/iptables to open and close ports but any changes will be ephemeral. Please send a request to helpdesk@ics.uci.edu to make them permanent.

Please reach out to helpdesk@ics.uci.edu if you believe a machine needs to be rebooted.

Sudo shell access is not allowed, it would allow users to circumvent the policies we have in place to protect security.

Our system reported that you ran the sudo command recently. I going to take this opportunity to share this wiki page that describes our sudoers policy, reasoning, and potential alternatives:

https://wiki.ics.uci.edu/doku.php/policies:sudoers

This page doesn't require you to login but links from this page may require ICS credentials to login.