Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Atomic sudo #189

Merged
merged 11 commits into from
Apr 15, 2024
Merged

Atomic sudo #189

merged 11 commits into from
Apr 15, 2024

Conversation

dwhite9
Copy link
Contributor

@dwhite9 dwhite9 commented Apr 4, 2024

The changes made below are intended to provide a new option when installing the atomic runner code on a *Nix machine that will allow it to be configured to use a different user account other than root. That account will require sudo access.

The code updates adds checks for this configuration, and prepends the sudo command before commands that require it. To make this not require a password, the "set-sudo" script will create a sudo config to allow passwordless sudo for the account configured during the invoke-SetupAtomicRunner script. It will prompt the user once for the password and then configure the account to no longer require it for sudo permission.

This optional config will only trigger if you run the Invoke-SetupAtomicRunner as a not-root account with sudo privileged. If run as root, then the normal behavior will be preserved.

dwhite9 added 10 commits January 31, 2024 23:01
Added new function to configure passwordless sudo for current user.
b895bca 
Updated the Invoke-SetupAtomicRunner.ps1 to use it during setup, and
updated cronjob to use current user instead of root.

Also updated the Invoke-AtomicRedTeam.psd1 to load the Set-Sudo function
to be available as a standalone function.
Code update to automatically setup passwordless sudo during
6daffa8 
Invoke-SetupAtomicRunner. Added checks in Invoke-AtomicTest and
Invoke-ExecutionCommand to see if passwordless sudo is configured and if
so, to append sudo to the $execPrefix for bash and sh executor. It also
does an additional check to determine if the YAML requires elevation
before attempting it.
Moved Set-Sudo function before linux and macos check for elevation
e295a4d 
check.
updated code to fix the command order when setting crontab when using…
47de663 
… sudo.
Switching to using tee command to avoid the shell interpreting the
db09cc5 
redirect before sudo is applied.
Creating profile directory and file if it doesn't exist on Linux/mac.
42ade0f
Updated invoke-ExecuteCommand code to change the $execExe to sudo and…
f1e96ca 
… put the

$executor into the $execPrefix variable when passwordless sudo has been
enabled.
removed an errant $execExe = $executor in else condition overwriting the
98a0fe9 
sudo operation.
Added code to elevate with sudo when attempting to rename and reboot
f133f29 
system if passwordless sudo is enabled.
Merge branch 'master' of https://github.com/redcanaryco/invoke-atomic…
0230f47 
…redteam into atomic-sudo
@dwhite9 dwhite9 marked this pull request as draft April 11, 2024 19:24
@cyberbuff cyberbuff requested a review from clr2of8 April 14, 2024 21:05
@dwhite9 dwhite9 marked this pull request as ready for review April 15, 2024 21:13
@clr2of8 clr2of8 merged commit 392533b into redcanaryco:master Apr 15, 2024
4 checks passed
@clr2of8 clr2of8 mentioned this pull request Apr 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dwhite9 @clr2of8 @cyberbuff