Sudo @ ICS

This page has been created to share philosophy and policy regarding ICS sudo and provide sudo alternatives. If you don't find the answer you are looking for here, or if you find an incorrect or incomplete answer, send mail to helpdesk@ics.uci.edu

Some ICS research hosts are cordoned into a security sandbox and users have access to sudo commands. See OS support levels

The system operations team strives to strike balance between allowing researcher to self manage their computing resources and maintaining maximum stability, conformity, and security of the systems we manage. We acknowledge that it can take a little bit longer to reach out to helpdesk@ics.uci.edu, but it also allows us to provide updates safely, securely and uniformly across the entire ICS fleet. Our team makes best effort to avoid the role of the gatekeeper or to be a blocker. At the same time, we want to limit the any critical problems, such as a broken package dependency, to derail your work when your team does have a deadline.

With that in mind, we group sudo privileges into the following broad groupings:

• Senior team members have sudo access to update or make changes to the system.
• Other team members may have sudo access to commands that ephemoral or informational.

We ask researchers for points of contact, typically one or two senior grad student that have familiarity with all the group projects. These team members will be called on by the systems operations group in the expanded capacities:

1. coordinate system maintenance for the group
2. sends/approves software change requests
3. request visitor accounts
4. control of group's slurm partitions

Examples of ways that promiscuous sudo privilege can block research.

Multiple versions of programs, such as Java or Python, are present on most linux distributions. On Ubuntu, switching the default java or python version is as simple as installing a package that runs the update-alternatives command. An change to the default version that isn't carefully considered and discussed ahead of time can disrupt projects and will be time-consuming to detect.

The yum and apt package managers on occasion break and it can be difficult, if not impossible, to resolve non-sensical package dependencies. To reduce risk of problems we ask that package updates privileges be restricted to a small number of users.

Run the following command for a list of sudo commands available to you:

sudo -l

Using the sudo command to create or edit files in this space is typically unnecessary and can be counterproductive for your team. Using root privilege esclation to create and edit files will block team members that do not have root privilege (ICS follows the principal of least privilege).

Alternatives:

All ICS systems have world or group writable local storage. Every system is going to have /tmp and /scratch directories. Many research directories will also have local drives mounted beneath /drv or /srv. Many other systems have undeployed storage. If you have questions about what is avaialble on a particular workstation, please send mail to helpdesk@ics.uci.edu

If you need to share storage with your team, use your Groupleader Account (Linux). It works the same way as root sudo, but avoids the requirement that the entire team has root sudo. The group account can use all the same local storage as well as, on many systems, NFS storage.

All students have been given access to a limited number of commands on instructional hosts. Grad students will have the same privileges on research hosts. The commands are commonly used diagnostic commands that require root privilege to execute but are reasonably necessary for day to day work.

If you feel that you require access to a command that is not on the list, please email helpdesk@ics.uci.edu.

In that cases that you have been granted sudo access to a host, please consider what it means to have that privilege.

• Broken or corrupt OS and system software will be repaired by total reinstallation.
• Backup of local storage is your responsibility. Mount your ICS Home Directory and copy important data there.
• Accounts are managed centrally by helpdesk@ics.uci.edu.
• Request permanent changes to the OS and system software from helpdesk@ics.uci.edu.
• Make no changes that would interfere with the ICS Computing Support group to manage the computer
• Make no changes that would prevent ICS Puppet from updating the configuration of the machine.
• The machines are monitored (grafanaand Icinga2@ics). Alerts will trigger a response.

It would not be useful to allow every body on the openlab to add or remove packages as they saw fit so we don't give out sudo permission for that. However, that doesn't mean you that the package you want' isn't available or that you cannot install your own packages.

An alternative to update-alternatives

Natively, CentOS and Ubuntu may not provide the latest program versions. To address this, ICS Computing Support will provide locally compiled software as part of the ICS Software Libraray.

You may add these packages to your environment by invoking the module command.

Add a different javac to your path:

module load openjdk/11.0.2

Add slurm to your path:

module load slurm

Add julia/1.6.0 to your path:

module load julia/1.6.0

See which versions of gcc are avaialble:

module avail gcc

An alternative to update-alternatives

On instruction and research systems, several versions of python are provided. These may be invoked by specifying the longer version: e.g. /usr/bin/python3.7

See what is available locall by using shell tab completion.

You can also wee which versions of python are availe by using wildcards:

ls /usr/bin/python* /usr/local/bin/python*

Most python and anaconda packages do not require root privilege to install. See the following URL for instructions on installing Python libraries, including how to upgrade pip:

See https://wiki.ics.uci.edu/doku.php/software:personal_library#python3

The MySQL and PostgreSL servers run on unprivileged ports and it is best practice to run these as a non-root user. Please see this page for running MySQL as an unprivileged user. Please request a group account from helpdesk@ics.uci.edu if your team would like to share ownership of a MySQL server.

Software source can be compiled and installed to writable storage by any user without SUDO.

Use the –prefix option to rehome the package

./configure --prefix=$HOME/pkg/pkg_name/version 

See this link for a little bit more information.

sudo privilege is not required to search areas of the filesystem that belong to you or public spaces. Due to our security policies many areas of the filesystem are not going to be accessible to root. Please reach out to helpdesk@ics.uci.edu if you feel you need to search an area of the file system that you do not have access to.

Set your LD_LIBRARY_PATH And LD_RUN_PATH instead. For example:

Add a lib directory in your home directory to be search when running programs (bash/zsh)

export LD_LIBRARYPATH=$LD_LIBRARY_PATH:$HOME/lib

Order is important, if you want your personal library searched BEFORE system libs reverse the rder:

export LD_LIBRARYPATH=$HOME/lib:$LD_LIBRARY_PATH

Loading modules will automatically add necessary libraries to your LD_LIBRARY_PATH or LD_RUN_PATH.

This command will return some information for non-root users, although the information may be incomplete.

You may also run the following commands to get additional system information:

• lsblk: information and attached block devices (e.g. disks).
• lsscsi: information and devices on the scsi buss
• cat /proc/meminfo: information about system memory
• cat /proc/cpuinfo: information about the system cpus
• top/htop: broad information about processes and resource consumption
• dmesg: startup messages

ICS managed computing employsiptables. Ports above 1024 on managed instructional and research Linux computing should be open to campus and VPN addresses. Please send request for restricted ports, ports less than 1024, and other special requests to helpdesk@ics.uci.edu.

Note: Some local sudo users may have privilege to run /usr/sbin/iptables to open and close ports but any changes will be ephemeral. Please send a request to helpdesk@ics.uci.edu to make them permanent.

Please reach out to helpdesk@ics.uci.edu if you believe a machine needs to be rebooted.

Sudo shell access is not allowed, it would allow users to circumvent the policies we have in place to protect security.

Our system reported that you ran the sudo command recently. I going to take this opportunity to share this wiki page that describes our sudoers policy, reasoning, and potential alternatives:

https://wiki.ics.uci.edu/doku.php/policies:sudoers

This page doesn't require you to login but links from this page may require ICS credentials to login.

The command invoked does not require sudo privilege and can be run as your own user.  Let me know if there is a specific reason you that it was necessary to invoke via sudo.   If we can figure out a non-sudo way to accomplish the same thing I will add it to our sudoers page:   https://wiki.ics.uci.edu/doku.php/policies:sudoers Typically, the sudo command should be used exclusively to invoke commands not available to an  ordinary user such as  installing a package (apt or yum) or running a service on a privileged port (less than 1024).