Service User Permissions - No Sudo

Purpose
When a new Pool is setup with based on the Guild Operators Documentation or through the article of Alexd How to set up a POOL in a few minutes - and register using CNTOOLS in the forum, by default the user who installed CNODE is also running it as a service.

Potential Risk
This is not optimal from a security perspective because the same user is typically used to SSH into the machine. To avoid attack vectors like privildedge escalation the following steps show how to degrade the original installation user to a non-sudoer, while creating a new user which is used for SSH in future.

Implications
Please note that after those steps you’ll always need to SSH and then impersonate as the Service user (OLDUSER). Also any later updates or execution of scripts which require SUDO permission will require temporary re-granting SUDO permissions to the OLDUSER.

Further comment: I know that it would be more convenient to just have 2 users. But this leads to issues regarding availability of environment variables and port access of Prometheus. This does not mean it is not possible - let me know if you found a better way :slight_smile:

Nomenclature
OLDUSER = User which was used during the installation.
maint-user = New User which will be used for future SSH connectivity.

Steps

#Create another Login User which you will use in future for maintenance SSH Connections
sudo adduser maint-user

#Make the new user a sudoer
sudo usermod -aG sudo maint-user

#Impersonate with the new user
sudo su - maint-user

#Configure appropriate login mechanism (re-do what you did for yor original user, e.g. authorized_key for Public Key Auth), in my case copy the old authorized_key
mkdir -p ~/.ssh
sudo cp /home/OLDUSER/.ssh/authorized_keys ~/.ssh/
sudo chown -R maint-user /home/maint-user/.ssh

#Set the user as allowed user for SSH
sudo nano /etc/ssh/sshd_config
AllowUsers OLDUSER maint-user

#Restart SSHD
sudo systemctl restart sshd

#Login with that new user through SSH directly
#The new user is now able login and also run commands in context of the original install user
#Please note that the user is not able to run any script in context of himself since the Cardano Binaries and Environment Variables are only available to the original install user
sudo su - OLDUSER
#run gLiveView to verify if everything is fine
/opt/cardano/cnode/scripts/gLiveView.sh

#Exit back go get out to the maint-user again
exit

#Reduce permissions of the user which was initally used to install Cardano and will in future still run the service
#Remove SUDO
sudo deluser OLDUSER sudo

#Delete authenticated_key
sudo shred -uvz /home/OLDUSER/.ssh/authorized_keys

#Unset Password
sudo passwd --delete OLDUSER

#remove old user from ssh_config (note: only maint-user remains)
sudo nano /etc/ssh/sshd_config
AllowUsers maint-user

#Restart SSHD
sudo systemctl restart sshd

My setup looks like this:

personal-user
I use this account to ssh into my system and make all my system operations.
Is in /etc/sudoers.d/local

relay/block user
Used to install node.
Has no login shell (/etc/passwd/ set to /sbin/nologin) but can sudo.

Both accounts need to verify with Google authenticator / 2fa if they want to run sudo commands.

What I’m going to do is to limit the sudo commands of the relay user to just systemctl and maybe degrade my personal user to only be able to make the switch to the relay user.

I currently planning to write some guides on such stuff - let me know if that’s something you’d like to read?

Cheers,

Alex

1 Like

Definitely I’m interested in reading some more details. Always got to compare and learn!

interesting too.

1 Like

Thanks for share. 2 player games