[[Sudo @ ICS]]
Trace: Sudo @ ICS
Show pagesource
Recent ChangesSitemap

This is an old revision of the document!

Table of Contents

Sudo @ ICS

This page has been created to share philosophy and policy regarding ICS sudo and provide sudo alternatives. If you don't find the answer you are looking for here, or if you find an incorrect or incomplete answer, send mail to helpdesk@ics.uci.edu

Sudoers

Some ICS research hosts are cordoned into a security sandbox and users have access to sudo commands. See OS support levels

Philosophy

The system operations team strives to strike balance between allowing researcher to self manage their computing resources and maintaining maximum stability, conformity, and security of the systems we manage. We acknowledge that it can take a little bit longer to reach out to helpdesk@ics.uci.edu, but it also allows us to provide updates safely, securely and uniformly across the entire ICS fleet. Our team makes best effort to avoid the role of the gatekeeper or to be a blocker. At the same time, we want to limit the any critical problems, such as a broken package dependency, to derail your work when your team does have a deadline.

Delegation of Authority

With that in mind, we group sudo privileges into the following broad groupings:

  • Senior team members have sudo access to update or make changes to the system.
  • Other team members may have sudo access to commands that ephemoral or informational.

We ask researchers for points of contact, typically one or two senior grad student that have familiarity with all the group projects. These team members will be called on by the systems operations group in the expanded capacities:

  1. coordinate system maintenance for the group
  2. sends/approves software change requests
  3. request visitor accounts
  4. control of group's slurm partitions

Common Pitfalls

Examples of ways that promiscuous sudo privilege can block research.

Update Alternatives Contention

Multiple versions of programs, such as Java or Python, are present on most linux distributions. On Ubuntu, switching the default java or python version is as simple as installing a package that runs the update-alternatives command. An change to the default version that isn't carefully considered and discussed ahead of time can disrupt projects and will be time-consuming to detect.

Broken Package Dependencies

The yum and apt package managers on occasion break and it can be difficult, if not impossible, to resolve non-sensical package dependencies. To reduce risk of problems we ask that package updates privileges be restricted to a small number of users.

Usage

Run the following command for a list of sudo commands available to you: 

sudo -l

If you feel that you require access to a command that is not on the list, please email helpdesk@ics.uci.edu.

In that cases that you have been granted sudo access to a host, please consider what it means to have that privilege.

  • Broken or corrupt OS and system software will be repaired by total reinstallation.
  • Backup of local storage is your responsibility. Mount your ICS Home Directory and copy important data there.
  • Accounts are managed centrally by helpdesk@ics.uci.edu.
  • Request permanent changes to the OS and system software from helpdesk@ics.uci.edu.
  • Make no changes that would interfere with the ICS Computing Support group to manage the computer
  • Make no changes that would prevent ICS Puppet from updating the configuration of the machine.
  • The machines are monitored (grafanaand Icinga2@ics). Alerts will trigger a response.

Sudo Alternatives

Package (yum/apt) installation

It would not be useful to allow every body on the openlab to add or remove packages as they saw fit so we don't give out sudo permission for that. However, that doesn't mean you that the package you want' isn't available or that you cannot install your own packages.

Modules

Natively, CentOS and Ubuntu may not provide the latest program versions. To address this, ICS Computing Support will provide locally compiled software as part of the ICS Software Libraray.

You may add these packages to your environment by invoking the module command.

Add slurm to your path: 

module load slurm

Add julia/1.6.0 to your path: 

module load julia/1.6.0

See which versions of gcc are avaialble: 

module avail gcc

Python3 Packages

Most python and anaconda packages do not require root privilege to install. See the following URL for instructions on installing Python libraries, including how to upgrade pip:

See https://wiki.ics.uci.edu/doku.php/software:personal_library#python3

Compiling Software from Source

Software source can be compiled and installed to writable storage by any user without SUDO.

Use the –prefix option to rehome the package 

./configure --prefix=$HOME/pkg/pkg_name/version

See this link for a little bit more information.

find

sudo privilege is not required to search areas of the filesystem that belong to you or public spaces. Due to our security policies many areas of the filesystem are not going to be accessible to root. Please reach out to helpdesk@ics.uci.edu if you feel you need to search an area of the file system that you do not have access to.

ldconfig

Set your LD_LIBRARY_PATH And LD_RUN_PATH instead. For example:

Add a lib directory in your home directory to be search when running programs (bash/zsh) 

export LD_LIBRARYPATH=$LD_LIBRARY_PATH:$HOME/lib

Order is important, if you want your personal library searched BEFORE system libs reverse the rder: 

export LD_LIBRARYPATH=$HOME/lib:$LD_LIBRARY_PATH

Loading modules will automatically add necessary libraries to your LD_LIBRARY_PATH or LD_RUN_PATH.

lshw

This command will return some information for non-root users, although the information may be incomplete.

You may also run the following commands to get additional system information:

  • lsblk: information and attached block devices (e.g. disks).
  • lsscsi: information and devices on the scsi buss
  • cat /proc/meminfo: information about system memory
  • cat /proc/cpuinfo: information about the system cpus
  • top/htop: broad information about processes and resource consumption
  • dmesg: startup messages

firewalls

ICS managed computing employsiptables. Ports above 1024 on managed instructional and research Linux computing should be open to campus and VPN addresses. Please send request for restricted ports, ports less than 1024, and other special requests to helpdesk@ics.uci.edu.

Note: Some local sudo users may have privilege to run /usr/sbin/iptables to open and close ports but any changes will be ephemeral. Please send a request to helpdesk@ics.uci.edu to make them permanent.

Reboot/Shutdown

Please reach out to helpdesk@ics.uci.edu if you believe a machine needs to be rebooted.

Shells

Sudo shell access is not allowed, it would allow users to circumvent the policies we have in place to protect security.

Sudoer Template

Our system reported that you ran the sudo command recently. I going to take this opportunity to share this wiki page that describes our sudoers policy, reasoning, and potential alternatives: 

https://wiki.ics.uci.edu/doku.php/policies:sudoers

This page doesn't require you to login but links from this page may require ICS credentials to login.

policies/sudoers.1668026048.txt.gz · Last modified: 2022/11/09 12:34 by hans
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0