sudoers Configuration for Minimal Privilege Escalation

[silverfisk]

sudoers Configuration for Minimal Privilege Escalation

A sudoers configuration that follows the principle of least privilege is critical for ensuring that luks-keeper can only perform the exact operations it needs and nothing more.

Recommended sudoers Configuration:

Create a new file in /etc/sudoers.d/ to contain these rules. This is safer than editing the main /etc/sudoers file.

File: /etc/sudoers.d/luks-keeper

#
# Sudoers configuration for the luks-keeper CLI tool.
#
# This file grants members of the 'luks-keeper-users' group the minimal
# privileges required to execute specific storage commands as root.
# This file should be owned by root and have permissions 0440.

# ==> 1. Command Aliases for Granular Control
#
# Define aliases for each privileged command. For maximum security, these rules
# must be as specific as possible, including full paths and allowed arguments.
# The wildcards (*) here are placeholders and should be replaced with the most
# restrictive patterns that match the tool's operational needs.

# Alias for cryptsetup commands
Cmnd_Alias LK_CRYPTSETUP = /usr/sbin/cryptsetup open *, \
                           /usr/sbin/cryptsetup close *, \
                           /usr/sbin/cryptsetup status *

# Alias for mount and umount commands, restricted to specific paths
Cmnd_Alias LK_MOUNT = /bin/mount /dev/mapper/* /mnt/*, \
                      /bin/umount /mnt/*

# Alias for Btrfs commands
Cmnd_Alias LK_BTRFS = /usr/sbin/btrfs subvolume snapshot *

# Combine all aliases into a single master alias for the final rule.
Cmnd_Alias LUKS_KEEPER_CMDS = LK_CRYPTSETUP, LK_MOUNT, LK_BTRFS


# ==> 2. The Privilege Grant Rule
#
# Allow members of the 'luks-keeper-users' group to execute the commands
# defined in the LUKS_KEEPER_CMDS alias as the 'root' user.
#
# The NOPASSWD tag allows the script to call sudo without an interactive
# password prompt, which is necessary for a seamless CLI tool experience.
# Security is maintained by the highly restrictive nature of the command aliases.

%luks-keeper-users ALL=(root) NOPASSWD: LUKS_KEEPER_CMDS

Key Security Principles in this Configuration:

• Specificity: The rules don't just allow cryptsetup; they allow cryptsetup open *, cryptsetup close *, etc. This prevents users from running other, potentially destructive cryptsetup subcommands. The same principle is applied to mount and btrfs.
• Centralized Management: Using Cmnd_Alias makes the ruleset clean, readable, and easy to manage.
• Group-Based Permissions: The rule applies to the %luks-keeper-users group, ensuring that permissions are managed centrally through group membership.
• Non-Interactive Execution: The NOPASSWD tag is safe to use in this context because the scope of commands that can be run is extremely narrow. This allows the luks-keeper script to function smoothly without password prompts.