From b03e89fdf730c685e9ca66a3a29cbd9447f63769 Mon Sep 17 00:00:00 2001 From: daobrien Date: Thu, 29 Jul 2021 13:00:21 +1000 Subject: [PATCH] Fixes #235 Add subsection on phraseology for changing to the root user. --- en-US/Design.xml | 68 +++++++++++++++++++++++++++--------------------- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/en-US/Design.xml b/en-US/Design.xml index a8e10e5..50bd3f2 100644 --- a/en-US/Design.xml +++ b/en-US/Design.xml @@ -410,29 +410,28 @@ $ vi myFile.txt
Using Escalated Privileges Correctly + + + The term escalated privileges refers to changing to a user whose privileges allow operations that a normal user cannot access. + It also refers to temporarily changing the privileges of the current user to perfom those operations without actually changing user accounts. + This section is aimed primarily at Red Hat Training course material, but the principles and guidelines apply equally in any environment. - - The term escalated privileges refers to changing to a user whose privileges allow operations that a normal user cannot access. - It also refers to temporarily changing the privileges of the current user to perfom those operations without actually changing user accounts. - Classroom Exceptions Although security is important, it is more important that classroom security does not unnecessarily distract from the immediate topic that is being taught.
General Recommendations - - These are recommendations, not rules. + The following are recommendations, not rules. As in most matters, consistency is important. Do not swap between different approaches without reason. Choose which approach works best for your situation and use it consistently. - @@ -441,7 +440,16 @@ $ vi myFile.txt - In exercises, use sudo and sudo -i and set it up to work throughout all relevant systems in the classroom. + Use a consistent approach when giving instructions to change users. + For example: "Connect to the cluster node and become the root user." + + + Variations such as "become root" or similar are strongly discouraged. + + + + + Use sudo and sudo -i and set it up to work throughout all relevant systems. Do not use su - without good cause. @@ -462,32 +470,34 @@ $ vi myFile.txt -
-
Exceptions + + Some courses are specifically designed to teach sudo and its variations, the use of the related files, such as /etc/sudoers, and so on. For these courses, use the required variation for the topic that is being taught. -
Ansible Courses - - - - Ansible courses typically use a devops user with passwordless sudo access (devops ALL=(ALL) NOPASSWD: ALL) on managed nodes to enable the use of become without a become password as root to do anything. - - - - - As much as possible, leave the system-wide default as become: false or become: no and if a single task needs privileges, set become: true or become: yes on that task. - - - - - If most tasks in a play require escalated privileges, set the entire play to become: true or become: yes and possibly selectively set individual tasks to become: false or become: no. - - - -
+
+
Ansible Courses + + + + Ansible courses typically use a devops user with passwordless sudo access (devops ALL=(ALL) NOPASSWD: ALL) on managed nodes to enable the use of become without a become password as root to do anything. + + + + + As much as possible, leave the system-wide default as become: false or become: no and if a single task needs privileges, set become: true or become: yes on that task. + + + + + If most tasks in a play require escalated privileges, set the entire play to become: true or become: yes and possibly selectively set individual tasks to become: false or become: no. + + + +
+