The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Proper Security for remote contractors and sudo

Discussion in 'Security' started by Success1, Jun 6, 2017.

  1. Success1

    Success1 Member

    Joined:
    Sep 8, 2016
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Famunda
    cPanel Access Level:
    Root Administrator
    I'm working with lots of contractors and it has become very handy for me to simple create a new cPanel account and let them install an app that we use in our larger system.

    By creating seperate cPanel accounts I can give our the cPanel account credentials and feel fairly safe their access is limited.

    However, it seems most of the time when they login they need sudo access.

    My question if if I add them to the Sudoers group is that getting around the security that I created by makeing their own cPanel account?

    It is my understanding anyone with Sudo access pretty much has root access..

    So if I'm doing thing wrong, what would be the proper way to deal with many remote contractors.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, if you have configured sudo on the server and grant sudo access to the user, it essentially gives them root access via SSH to the entire system. You may want to verify what in-particular they need root access for to determine if there's another way they can preform the required action.

    Thank you.
     
  3. Success1

    Success1 Member

    Joined:
    Sep 8, 2016
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Famunda
    cPanel Access Level:
    Root Administrator
    I'm a Windows Admin of 30 years and having to adapt to a Linux world. Yuggg..

    So what would be a proper proceedure to give a remote contractor access to setup software packages on our server? This last time was Mattermost Communication Software but there are always new packages that need to be installed.

    I almost prefer they do the admin sudo work logged into my pc and then I remote to our server as root so I can watch all their security sensitive work.

    What is the best method to handle this?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    sudoers can be configured to only allow certain commands to be run. For example see:
    Take Control of your Linux | sudoers file: How to with Examples

    Your definition of "setup software packages" is critical here. You could let them have privileges on certain config files perhaps. However if you grant access to yum (package manager) to install software for example, they could add/remove any software packages on the server.

    You don't necessarily have to chain logins if you work in 'screen' sessions, you can have 2 users attached to the same screen by using screen -x.

    I would look perhaps into using sudoers to only let their cpanel users run certain commands with root privileges. Or better yet, just have them work on a dev server, and when you are happy with it, migrate changes to your production server. A small VPS to use as a development/staging server is cheap and a small price to pay for not giving contractors root on your production environment.
     
    Success1 and Infopro like this.
  5. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,405
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    You can analyze what part of their work requires sudo access. Based on this, you have to plan your move.

    First, I would suggest you given the jailed shell access, so they can login and check whether they are comfortable with it or not.
     
    Success1 likes this.
  6. Success1

    Success1 Member

    Joined:
    Sep 8, 2016
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Famunda
    cPanel Access Level:
    Root Administrator
    Thanks guys for the help!! I'll push forward.
     
Loading...

Share This Page