Time boxed sudo
Something I needed to do a few days ago was give someone temporary sudo privileges on a machine.
Knowing how forgetful I can be I didn’t want to add the access and then hope I remembered to remove it later.
This sort of thing is not uncommon and often times ends up with a comment in a sudoers file that looks something like this:
# Temporary sudo access for 30 days added by Luke 2004-01-01
somedude ALL=(ALL) NOPASSWD:ALL
The temporary 30 day access for some dude who no longer works here lasted for 20 years… so far…
I suppose technically all access is temporary access in the grand scheme of things so maybe this isn’t so bad? 🤣
A better way to enforce temporary access
Use the NOTBEFORE and NOTAFTER parameters in sudo.
A better way to time box this kind of access and make sure that a forgetful sysadmin doesn’t end up giving temporary access that lasts for 20 years would look like this:
# Temporary sudo access for 30 days added by Luke 2024-01-01
somedude ALL=(ALL) NOTBEFORE=202401010800 NOTAFTER=202401311700 NOPASSWD:ALL
This way the server will automatically add sudo access on January 1, 2024 at 8am and remove that access on January 31, 2024 at 5pm. That way you aren’t reliant on anyone’s memory.
Go forth and give temporary access.
#blog/written