Sudo Wrapper

After Endpoint Privilege Management for Unix and Linux is installed and its clients deployed throughout the enterprise, you can ideally start using pbrun instead of sudo to request secured tasks. However, you might need time to modify preexisting scripts or become accustomed to typing pbrun. On Linux x86-64 systems, administrators have the option to install and configure a sudo wrapper, a Perl script which facilitates the translation of sudo options into pbrun options and uses pbrun to execute the requested command. This way, users can continue typing sudo but pbrun is used to elevated privileges.

 

Packaging

The Perl script pbsudo-wrapper.pl is added to the bin directory in the TAR file.

Starting with EPM-UL version 22.1, the sudo wrapper is available only with the Linux distribution: pmul_linux.x86-64.

Install Details

pbinstall

The pbinstall program has a new -O switch to install sudo wrapper. The Linux host where pbinstall is run must already have an unprefixed/unsuffixed pbrun installed and configured. Before attempting to install sudo wrapper, you must already have an updated Endpoint Privilege Management for Unix and Linux policy in place that contains the important prerequisites mentioned in the notes above. To ensure that sudo wrapper is installed in the correct environment, the -O switch is purposely exclusive and cannot be combined with the other pbinstall options.

When installing the sudo wrapper, pbinstall locates the actual sudo binary and renames it to a backup name (with the suffix .orig), after which, the Perl script pbsudo-wrapper.pl is copied from the distribution to the same location and renamed sudo.

pbuninstall

The pbuninstall program has a new -O switch to manually uninstall the sudo wrapper but leave Endpoint Privilege Management for Unix and Linux components intact.

When uninstalling the sudo wrapper, pbuninstall locates the backup sudo binary (suffixed with .orig) and renames it back to its regular name.

Demo Policy Files

Default policy files <pbuldir>/pbul_policy.conf and <pbuldir>/pbul_functions.conf contain sample instructions that define a Sudo role. This Sudo role is disabled by default, but it illustrates how you can craft a policy to support the sudo wrapper options.

<policydir>/pbul_policy.conf:

# This enables "Sudo role", which allows root (or any user in SudoUsers) to run any command on the current host (or any host in SudoHosts)
# By default, this role is disabled. To ensable this set EnableSudoRole to true below.
#
EnableSudoRole = false;
SudoUsers = {"root"};
SudoHosts = {submithost, TargetSubmitHostShortName};
SudoRole();

<policydir>/pbul_functions.conf:

## Procedure SudoRole:
## If 'EnableSudoRole' is enabled, it allows any user in SudoUsers list to run any command on hosts in SudoHosts
##   
procedure SudoRole()
{
    if ( EnableSudoRole && user in SudoUsers && (runhost in SudoHosts || TargetRunHostShortName in SudoHosts) )
    {
        SetRunEnv("root", false);

        if (getenv("SUDOLOGIN") == "true") {
            setenv("SHELL", "!!!");
            setenv("HOME", "!~!");
            runcwd = "!~!";
            runargv[0] = "-" + basename(getenv("SHELL","/bin/sh"));
            unsetenv("SUDOLOGIN");
            unsetenv("SUDOUSERSHELL");
        }
        
        if (getenv("SUDOPRESERVE") == "true") {
            setenv("USER", runuser);
            setenv("USERNAME", runuser);
            setenv("LOGNAME", runuser);
            unsetenv("SUDOPRESERVE");
        } else {
        #runcwd = "!~!";
        #setenv("SHELL", "!!!");
        #setenv("HOME", "!~!");
            setenv("USER", runuser);
            setenv("USERNAME", runuser);
            setenv("LOGNAME", runuser);
            setenv("PWD", runcwd);
            setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/opt/pbis/bin");
            keepenv("SHELL", "HOME", "USER", "USERNAME", "LOGNAME", "PWD", "PATH",
                    "TERM", "DISPLAY", "SUDO_GID", "SUDO_UID", "SUDO_USER",
                    "SUDO_COMMAND");
        }
        accept;
    }
}