Feature #13184
closed
Remote Execution needs ability to restrict commands on a per user basis
Description
Not sure how this could tie in to sudo, but Remote Execution has a default user of root. This is not acceptable on many corporate estates, as root access is completely restricted.
The execution user on the remote system should be altered based on the Foreman user scheduling the command. Elevation to a different user would then be based on the sudo ability of the remote user on the remote machine.
Updated by Stephen Benjamin almost 9 years ago
- Status changed from New to Duplicate
I'm happy to say this is possible in the latest release. When you create a job template, there is an "Effective User" section on the Job tab. Click the 'Current user' box and uncheck the 'Overridable' box. The script will then be executed via sudo or su (configurable in Settings) as the same username as the logged in foreman user.
Updated by Stephen Benjamin almost 9 years ago
- Is duplicate of Feature #12489: Expose effective user in the foreman server added
Updated by Stephen Benjamin almost 9 years ago
Do note also there are two different possible users -> the user used for ssh, and the user used for execution. The effective user as the logged in foreman user applies to the latter. The ssh user is a global setting (default is root) overridable per-host, but we do expect this user to be somewhat privileged for now.
Were you looking for the former - the ssh user itself?
We do have http://projects.theforeman.org/issues/11936, which might be able to support such a case. Or were you looking for something ssh-key based? We could re-open this if it's that, although customizing the SSH user to be per-foreman user is a bit challenging from a security and auditing stand point.
Updated by Duncan Innes almost 9 years ago
It was the execution user I was initially looking at, but the ssh user is also a potential issue. Parts of our estate have no access to root user for security reasons (I'm new here, so can't explain the logic behind the decision). Other parts of our estate don't even allow ssh access to boxes.
Will leave this ticket as being concerned with the execution user (i.e. duplicate of 12489) and raise other tickets as necessary for the ssh user and possibly any alternatives to ssh transport.