About using sudo

Sudo is a program for Unix-like computer operating systems that lets users run programs using the security privileges of another user (by default, the superuser).

Sudo lets you configure highly restricted user privileges on a remote device (refer to the commands listed in the table below). This new sudo option offers a more secure connection because root access is no longer required. Root access meant that if user account credentials were compromised, all other data on the remote device was potentially compromised, as well.

DID YOU KNOW?  On Trust Protection Platform, sudo is a method for provisioning certificates to a device using a non-root account and uses the default file ownership and permissions configured on your operating system. If your implementation requires different file ownership or permissions, Venafi drivers that support sudo include the ability to set them using a different feature of the driver.

When using sudo with Trust Protection Platform, consider the following limitations and requirements:

  • Workflow (SSH) Command Injection is not supported with sudo unless the injected commands are prefixed with sudo and no password is required by sudo to execute them.
  • Only one certificate can be provisioned at a time to the same device when using sudo (the Concurrent Connection Count must be 1).
  • The sudo account used by Trust Protection Platform must have read and write permissions to the temp directory, as well as permissions to transfer files to and from the temp directory using SFTP.
  • sudo can only be used with Venafi drivers that make use of an SSH command-line interface and is only supported by platforms that use a standard, non-proprietary command shell.
Sudo commands executed by supported Venafi drivers
 

Commands used with Central Generation

Commands used with Remote Generation

General Purpose

ls

rm

cp

ls

rm

cp

Set File/Owner Permissions

chmod

chown

chmod
chown

Apache and PEM

  openssl

GSK

 

gsk7cmd

gsk7capicmd

gsk8capicmd

gsk8capicmd_64

ikeycmd

iPlanet

certutil

pk12util

certutil

pk12util

JKS

  keytool

PKCS#12

  (Not Applicable)

When sudo is enabled, each command executed remotely on a device is prefixed with “sudo” to have the command execute in a privileged security context. The sudoers file governs which commands and which users are allowed. It can also specify whether or not the user must enter their password when prompted, an optional configuration that is supported by Trust Protection Platform.

EXAMPLE  In this example sudoer file, venafi is the user name that Trust Protection Platform has been configured to use, /opt/pki is the target directory, /tmp is the temporary directory, and the commands are being executed via sudo without having to specify a password.

IMPORTANT  The following example provides a general guide to get you started. Do not use the following example without replacing wildcard references with actual file path names wherever possible so as not to allow directory traversal.

# GSK, JKS, PEM, PKCS#12 central gen

venafi ALL= NOPASSWD:/bin/ls -ld /opt/pki*

venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /opt/pki/*

venafi ALL= NOPASSWD:/bin/cp /opt/pki/* /tmp/*

venafi ALL= NOPASSWD:/bin/cp -pf /opt/pki/* /opt/pki/*

venafi ALL= NOPASSWD:/bin/cp /tmp/* /tmp/*

venafi ALL= NOPASSWD:/bin/rm -rf /opt/pki/*.bak

venafi ALL= NOPASSWD:/bin/rm -rf /tmp/*

# for setting file owner/group and/or permissions

venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /opt/pki/*

venafi ALL= NOPASSWD:/bin/chown * /opt/pki/*

venafi ALL= NOPASSWD:/bin/chmod 0[0-7][0-7][0-7] /tmp/*

venafi ALL= NOPASSWD:/bin/chown * /tmp/*

# iPlanet

venafi ALL= NOPASSWD:/bin/ls -ld /usr/bin/certutil, /bin/ls -ld /usr/bin/pk12util

venafi ALL= NOPASSWD:/usr/bin/certutil *, /usr/bin/pk12util *

venafi ALL= NOPASSWD:/bin/cp -pf /tmp/* /tmp/*

venafi ALL= NOPASSWD:/bin/ls -ld /tmp*

# PEM remote gen

venafi ALL= NOPASSWD:/usr/bin/openssl *

# JKS remote gen

venafi ALL= NOPASSWD:/usr/bin/keytool *

# GSK remote gen

venafi ALL= NOPASSWD:SETENV:/bin/sh -c ikeycmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7cmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk7capicmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd *

venafi ALL= NOPASSWD:SETENV:/bin/sh -c gsk8capicmd_64 *

For additional information and resources regarding sudo, visit the following websites:

Related Topics Link IconRelated Topics