Ubuntu Admin

Root Access

Users can grant themselves sudo access when the machine is first booted after installation. TIG can help in cases of machines changing users or similar cases where somebody who needs access doesn’t have it. You can also add new sudoers files to the /etc/sudoers.d directory, for example:

sudo visudo -f /etc/sudoers.d/12_local_sudo

Root Alias

If you are reading this, its probably because you want to customize something on your machine — install some extra software, set up a root cron job, add a local (non-Kerberos) account for a collaborator, or the like. If that is the case, you should arrange for yourself to get root mail. You can do this by creating a file /etc/facter/facts.d/local.txt and adding a line that says

root_alias=YOUREMAILADDRESS

That does not prevent TIG sysadmins from getting root mail as well, but it means you will see it too, and you can fix problems related to software you’ve installed or configuration changes you’ve made. (Of course, if you need help with that, send mail to help@csail.mit.edu.)

Restricting login access

Machine owners can limit access to their computers by providing a list (one per line) of allowed usernames in /etc/csail/users.allow.

On 16.04 (Xenial) and newer systems /etc/csail/groups.allow is also supported. Note: On 16.04 and newer systems, /etc/csail/groups.allow must exist (even if empty) in order for /etc/csail/users.allow to function correctly.

Don’t lock yourself out!

If you create users.allow or groups.allow they take effect immediately, and one of their side effects is to prevent disallowed users from running sudo. So make sure you never leave those files in a state where your account isn’t allowed to authenticate, or you’ll lose your ability to make any further changes. For instance, add yourself to users.allow before creating groups.allow if you’re not already in one of the allowed groups. (TIG can help if you find yourself in that state.)

It is also possible to restrict ssh access to a specific group or list of groups. This is done by adding a line to the file in /etc/facter/facts.d/local.txt (which may not yet exisist) defining sshdallowgroups to a space seperated list of groups to allow, for example:

sshdallowgroups=group1 group2 etc

This will be activated on the next configuration management run (within 30min) or can be activated immediately by running

sudo puppet agent -t

The sshallowgroups method is preferred for 14.04 (Trusty) and older systems. On newer systems /etc/csail/groups.allow and /etc/csail/users.allow is preferred

Access to NFS

Autofs is unconfigured by default. If you’d like to access the CSAIL NFS shares, add the following line to /etc/facter/facts.d/local.txt (which might not exist already):

autofs=true

You should be able to access the NFS shares in approximately 30 minutes after the next puppet agent runs.