Controlling the Usage of sudo

Privilege Manager provides you with Workstation policies, that are foundation policies for rapid deployment. They are accessed from the Application Policies in your Computer Group. Click Create Policy, then select Workstation Policies. Refer to Workstation Policies

These specific Workstation policies provide ways of controlling how users can execute the sudo command. They are:

  • Block sudo Commands for Non-Admin Group Users

  • Elevate sudo pmagentctl updateclientitems

Configuring Block sudo commands for non-admin group users

First, let’s look at the Block sudo commands for non-admin group users policy. This policy will block all sudo commands for users that are not a part of the Admin group. If a user is a part of the Admin group, sudo will fall back to normal operation.

In the Applications Targeted field, you see Any Command – File Spec Filter (macOS). This filter will match on any command that a user can run.

In the Inclusions list, sudo Parent Process Filter appears as a filter that must match for the policy to apply. This means that this policy will apply to processes where sudo is the parent of the process. In more simple terms, this means that this policy will apply to commands run with sudo.

If we put the Any Command – File Spec Filter (macOS) and the sudo Parent Process Filter logic together, this means that the policy will match on any command that a user could run, if and only if that command is run with sudo.

Now, you see that admin Group – User Context Filter (macOS) is included in the Exclusions list as a filter that must not match for this policy to apply. This filter will match on macOS users in the Admin group. Since this filter is excluded, this policy will not apply to users in the Admin group.

Putting this all together, this policy blocks users that are not in the admin group from running any sudo commands.

Configuring Elevate sudo pmagentctl updateclientitems

Now, let’s look at the next policy Elevate sudo pmagentctl updateclientitems. This policy allows users to run sudo pmagentctl updateclientitems in the Terminal without having to input credentials. See Terminal Commands for more information on pmagentctl.

Again, you see that sudo Parent Process Filter is listed as an Inclusion and we know from the previous policy that this means that the policy will apply to commands run with sudo.

You will see a pattern here. When you want to control the usage of sudo, you need the sudo Parent Process Filter listed in the Inclusions.

In Applications Targeted field, pmagentctl – File Spec Filter (macOS) is listed. This filter targets the Privilege Manager macOS agent’s command line utility pmagentctl.

There is another filter listed in the Inclusion section of this policy, updateclientitems – Commandline Filter (macOS). As it sounds, this filter targets the command line updateclientitems which is a subcommand of pmagentctl.

Now, putting this all together, this policy is targeting pmagentctl updateclientitems when run with sudo.

These two Workstation policies can be applied alone or together. If they are applied together, Elevate sudo pmagentctl updateclientitems will apply before Block sudo commands for non-admin group users due to their priority. All users will be allowed to run sudo pmagentctl updateclientitems without having to input credentials. All other sudo commands will be blocked for non-Admin group users. For Admin group users, all other sudo commands will fall back to normal operation.

Summary

Now that we have explored these example policies, let’s recap:

  • If you want to control the usage of sudo, the sudo Parent Process Filter needs to be added to the Inclusions.

  • You can target whatever application that can be run with sudo. In these examples, we targeted Any Command – File Spec Filter (macOS) and pmagentctl – File Spec Filter (macOS).

  • You can add filters to the Inclusions and Exclusions sections of a policy to filter on specific command lines. Refer to the example in Configuring Elevate sudo pmagentctl updateclientitems.

    You can also filter on users or groups here; we excluded the Admin group in the Block sudo commands for non-admin group users policy so Admin users could still run sudo commands if they input credentials. Refer to the example in Configuring Block sudo commands for non-admin group users.

    This is not an exhaustive list of filters that can be added to the Inclusions and Exclusions sections.

  • In these examples we have used Deny Execute or Run as Root in the actions to block or elevate sudo usage. More or different actions can be added here.

  • It also must be noted that because we are dealing with command line tools, the Applies to All Processes option in the Advanced Settings is the only option that needs to be checked.