binbeobo / google-cloud-sdk

Automatically exported from code.google.com/p/google-cloud-sdk
0 stars 1 forks source link

auto sudoers entry on every ssh login #394

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. create a new user in terminal (using linux commands).
2. do NOT give sudo privilege to the user.
3. just add a public key to user's home for ssh login
4. check /etc/sudoers entry. This user will not be present.
5. Now do ssh login with newly created user.
6. /etc/sudoers file has entry for this new user

What is the expected output? What do you see instead?
1. user should not be able to run sudo commands unless explicitly added to sudo 
group

What is the output of 'gcloud info'?
Google Cloud SDK [0.9.37]

Platform: [Linux, x86_64]
Python Version: [2.7.6 (default, Jun 22 2015, 17:58:13)  [GCC 4.8.2]]
Site Packages: [Disabled]

Installation Root: [/usr/lib/google-cloud-sdk]
Installed Components:
  core: [2014.11.25]
  core-nix: [2014.11.25]
  gcutil: [1.16.5]
  gsutil-nix: [4.6]
  gsutil: [4.6]
  bq: [2.0.18]
  dns: [2014.11.25]
  sql: [2014.11.25]
  compute: [2014.11.25]
  gcutil-nix: [1.16.5]
  bq-nix: [2.0.18]
System PATH: 
[/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/lo
cal/games]
Cloud SDK on PATH: [False]

WARNING: There are old versions of the Google Cloud Platform tools on your 
system PATH.
  /usr/bin/gcutil
  /usr/bin/git-credential-gcloud.sh
  /usr/bin/bq
  /usr/bin/gsutil
  /usr/bin/gcloud

Installation Properties: [/usr/lib/google-cloud-sdk/properties]
User Config Directory: [/home/vinay/.config/gcloud]
User Properties: [/home/vinay/.config/gcloud/properties]
Current Workspace: [None]
Workspace Config Directory: [None]
Workspace Properties: [None]

Account: [30521210548-compute@developer.gserviceaccount.com]
Project: [api-project-30521210548]

Current Properties:
  [core]
    project: [api-project-30521210548]
    account: [30521210548-compute@developer.gserviceaccount.com]
    user_output_enabled: [True]

Logs Directory: [/home/vinay/.config/gcloud/logs]
Last Log File: [None]

Please provide any additional information below.
So, this blocks us from giving non sudo ssh-access to any user

Original issue reported on code.google.com by vi...@simility.com on 19 Nov 2015 at 7:14

GoogleCodeExporter commented 8 years ago
Thanks for reporting this.

This is in fact working as intended; `gcloud compute ssh` adds the user to the 
sudoers file. The reasoning here is that anybody with the permissions to 
manipulate the Compute Engine metadata (this is how `gcloud compute ssh` works) 
has enough power to get root on the machine anyway.

If you'd like to do what you're describing, please use plain `ssh` to connect. 
`gcloud compute ssh --dry-run` will tell you the necessary settings, but not 
manipulate the metadata. I've manually verified that this will NOT add the user 
to /etc/sudoers.

Original comment by z...@google.com on 24 Nov 2015 at 5:52