{"__v":66,"_id":"55d78faf60fc730d00fc2839","category":{"__v":6,"_id":"55d3b645f77e6d0d00b1b27b","pages":["55d3b64bf77e6d0d00b1b2a6","55d3b64bf77e6d0d00b1b2a7","55d78faf60fc730d00fc2839","565cc898687b0d0d004101e4","565ccbcdf8bc860d006842ee","56eb25fa450cf10e00de5675","56eb5d051633510e00f884b2"],"project":"55c505b41469ad2500fa2ab7","version":"55d3b644f77e6d0d00b1b273","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-08-10T18:45:16.066Z","from_sync":false,"order":2,"slug":"agent","title":"Agent"},"parentDoc":null,"project":"55c505b41469ad2500fa2ab7","user":"55d3eb3196dc260d00cdba70","version":{"__v":6,"_id":"55d3b644f77e6d0d00b1b273","project":"55c505b41469ad2500fa2ab7","createdAt":"2015-08-18T22:48:36.632Z","releaseDate":"2015-08-18T22:48:36.632Z","categories":["55d3b645f77e6d0d00b1b274","55d3b645f77e6d0d00b1b275","55d3b645f77e6d0d00b1b276","55d3b645f77e6d0d00b1b277","55d3b645f77e6d0d00b1b278","55d3b645f77e6d0d00b1b279","55d3b645f77e6d0d00b1b27a","55d3b645f77e6d0d00b1b27b","55d3b645f77e6d0d00b1b27c","55d3b645f77e6d0d00b1b27d","55d7c2939510f00d007ec6fe","56fac9925df15a20002972a2","56fb2f7668e1d30e00a0b672","583498d411e8af2500f6b334","58e52a180ab7b03b00f4a97a"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"1.1.0","version":"1.1"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-08-21T20:53:03.675Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"For better security, by default Neptune agent runs as a daemon (neptune-agentd) under a specific user account called \"neptune\". **It never runs as root or sudo user**\n\nHowever,you might want to give special privileges to Neptune agent to run some commands. In that case, you have three options :\n\n1. Install the agent to run as a different user. This is our recommended option and works best if you already have an user in your system already setup with right privileges\n2. Give sudo permissions to agent's default user 'neptune'\n3. Give restricted access to agent's default user 'neptune' to run only a few commands (better than option 2 in terms of security)\n\nExplore the three options in detail below and choose the one which best fits your needs\n\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"The three options below are for LINUX installations only\",\n  \"body\": \"For Mac or OSX agents, see the last section on this page\"\n}\n[/block]\n## Option 1 : Install the agent as a different user \n\nOur recommended best practice is to create another user in your system with right set of privileges and then install Neptune agent to run as that user.\n\nSimply change the AGENT_USER variable in the one-line agent installation command, and the agent will run as the specified user on your host\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/4GeXvrjdQE6pBf2GF22m_Install_Agent.png\",\n        \"Install_Agent.png\",\n        \"1633\",\n        \"925\",\n        \"#4e90f4\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"To configure an already running agent to run as a different user\",\n  \"body\": \"First uninstall existing agent using ***sudo service neptune-agentd uninstall***\\nThen install a new agent as shown above in Option 1\"\n}\n[/block]\n## Option 2 : Give sudo privileges to default agent user 'neptune' on Linux\n\n1. You can easily give sudo privileges to the agent user by setting a special flag while installing the agent and running the whole command as sudo.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo REQUIRE_SUDO=\\\"true\\\" AGENT_USER=\\\"neptune\\\" API_KEY=\\\"XXXX\\\" bash -c \\\"$(curl -sS -L https://raw.githubusercontent.com/neptuneio/neptune-agent/prod/scripts/linux/install_neptune_agent_linux.sh)\\\" \",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n2. Alternatively, if you are using our chef recipe, you can set `require_sudo` to to `true` in the attributes file. Please see [chef-neptune-agent Github repo](https://github.com/neptuneio/chef-neptune-agent) for more details.\n\n3. Finally, you can do it manually with full control by changing the sudoers file.\nOpen the sudoers file with `sudo visudo` and append the following two lines to give sudo permissions.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"neptune ALL=(ALL) NOPASSWD: ALL\\nDefaults:neptune !requiretty\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\nRestart the agent to ensure new permissions are applied properly\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo service neptune-agentd restart\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\nIf you give sudo permission by following any of the above approaches, any sudo command in your runbook will be executed by the agent. Do a quick dry run on the host you just gave sudo permissions, by running a sudo command\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/uRzV02sUSAWZEfBtl5Te_dryRun.png\",\n        \"dryRun.png\",\n        \"1432\",\n        \"719\",\n        \"#3b73d3\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n## Option 3 : Give restricted access to agent (to run only a few commands)\n\nYou can do this by adding the agent user to a group, and you can set the group permissions to allow only a few sudo commands\n\n1. First ensure the user group name exists, or create a new group name (e.g: agentGroup) \n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo groupadd agentGroup\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n2. Add Neptune agent user (in this case 'neptune')  to the new user group\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo usermod -g agentGroup neptune\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n3. To restrict commands that agent user can run as part of the user group (e.g : agentGroup), open your sudoers file\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo visudo\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n4. Add the following line in the sudoers file to restrict usergroup to run only commands command1 command2 and command3\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"%agentGroup ALL=NOPASSWD: /usr/bin/command1, /usr/bin/command2, /home/user1/bin/command3 \",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n5. Restart the agent to ensure new permissions are applied properly\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"sudo service neptune-agentd restart\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n**That's it, Now the agent has limited privileges through its group settings**\n\n## For Mac agents : \n\nYou can change the neptune daemon config at /Library/LaunchDaemons/com.neptune.agent.plist \n\nChange UserName value to an user of your choice and give that user sudo priveleges\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<!DOCTYPE plist PUBLIC \\\"-//Apple//DTD PLIST 1.0//EN\\\" \\\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\\\">\\n<plist version=\\\"1.0\\\">\\n    <dict>\\n        <key>Label</key>\\n        <string>com.neptune.agent</string>\\n        <key>RunAtLoad</key>\\n        <true/>\\n        <key>KeepAlive</key>\\n        <true/>\\n        <key>NetworkState</key>\\n        <true/>\\n        <key>WorkingDirectory</key>\\n        <string>WORKING_DIRECTORY_HERE</string>\\n        <key>Program</key>\\n        <string>AGENT_PATH_HERE</string>\\n        <key>UserName</key>\\n        <string>AGENT_USER_HERE</string>\\n        <key>ExitTimeOut</key>\\n        <integer>2</integer>\\n    </dict>\\n</plist>\",\n      \"language\": \"xml\"\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"Next : Learn how to manage and update your Neptune agent\",\n  \"body\": \"[Agent adminstration](doc:agent-administration)\"\n}\n[/block]","excerpt":"","slug":"sudo-priveleges-control","type":"basic","title":"Sudo priveleges & restrictions"}

Sudo priveleges & restrictions


For better security, by default Neptune agent runs as a daemon (neptune-agentd) under a specific user account called "neptune". **It never runs as root or sudo user** However,you might want to give special privileges to Neptune agent to run some commands. In that case, you have three options : 1. Install the agent to run as a different user. This is our recommended option and works best if you already have an user in your system already setup with right privileges 2. Give sudo permissions to agent's default user 'neptune' 3. Give restricted access to agent's default user 'neptune' to run only a few commands (better than option 2 in terms of security) Explore the three options in detail below and choose the one which best fits your needs [block:callout] { "type": "warning", "title": "The three options below are for LINUX installations only", "body": "For Mac or OSX agents, see the last section on this page" } [/block] ## Option 1 : Install the agent as a different user Our recommended best practice is to create another user in your system with right set of privileges and then install Neptune agent to run as that user. Simply change the AGENT_USER variable in the one-line agent installation command, and the agent will run as the specified user on your host [block:image] { "images": [ { "image": [ "https://files.readme.io/4GeXvrjdQE6pBf2GF22m_Install_Agent.png", "Install_Agent.png", "1633", "925", "#4e90f4", "" ] } ] } [/block] [block:callout] { "type": "warning", "title": "To configure an already running agent to run as a different user", "body": "First uninstall existing agent using ***sudo service neptune-agentd uninstall***\nThen install a new agent as shown above in Option 1" } [/block] ## Option 2 : Give sudo privileges to default agent user 'neptune' on Linux 1. You can easily give sudo privileges to the agent user by setting a special flag while installing the agent and running the whole command as sudo. [block:code] { "codes": [ { "code": "sudo REQUIRE_SUDO=\"true\" AGENT_USER=\"neptune\" API_KEY=\"XXXX\" bash -c \"$(curl -sS -L https://raw.githubusercontent.com/neptuneio/neptune-agent/prod/scripts/linux/install_neptune_agent_linux.sh)\" ", "language": "shell" } ] } [/block] 2. Alternatively, if you are using our chef recipe, you can set `require_sudo` to to `true` in the attributes file. Please see [chef-neptune-agent Github repo](https://github.com/neptuneio/chef-neptune-agent) for more details. 3. Finally, you can do it manually with full control by changing the sudoers file. Open the sudoers file with `sudo visudo` and append the following two lines to give sudo permissions. [block:code] { "codes": [ { "code": "neptune ALL=(ALL) NOPASSWD: ALL\nDefaults:neptune !requiretty", "language": "shell" } ] } [/block] Restart the agent to ensure new permissions are applied properly [block:code] { "codes": [ { "code": "sudo service neptune-agentd restart", "language": "shell" } ] } [/block] If you give sudo permission by following any of the above approaches, any sudo command in your runbook will be executed by the agent. Do a quick dry run on the host you just gave sudo permissions, by running a sudo command [block:image] { "images": [ { "image": [ "https://files.readme.io/uRzV02sUSAWZEfBtl5Te_dryRun.png", "dryRun.png", "1432", "719", "#3b73d3", "" ] } ] } [/block] ## Option 3 : Give restricted access to agent (to run only a few commands) You can do this by adding the agent user to a group, and you can set the group permissions to allow only a few sudo commands 1. First ensure the user group name exists, or create a new group name (e.g: agentGroup) [block:code] { "codes": [ { "code": "sudo groupadd agentGroup", "language": "shell" } ] } [/block] 2. Add Neptune agent user (in this case 'neptune') to the new user group [block:code] { "codes": [ { "code": "sudo usermod -g agentGroup neptune", "language": "shell" } ] } [/block] 3. To restrict commands that agent user can run as part of the user group (e.g : agentGroup), open your sudoers file [block:code] { "codes": [ { "code": "sudo visudo", "language": "shell" } ] } [/block] 4. Add the following line in the sudoers file to restrict usergroup to run only commands command1 command2 and command3 [block:code] { "codes": [ { "code": "%agentGroup ALL=NOPASSWD: /usr/bin/command1, /usr/bin/command2, /home/user1/bin/command3 ", "language": "shell" } ] } [/block] 5. Restart the agent to ensure new permissions are applied properly [block:code] { "codes": [ { "code": "sudo service neptune-agentd restart", "language": "shell" } ] } [/block] **That's it, Now the agent has limited privileges through its group settings** ## For Mac agents : You can change the neptune daemon config at /Library/LaunchDaemons/com.neptune.agent.plist Change UserName value to an user of your choice and give that user sudo priveleges [block:code] { "codes": [ { "code": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n <dict>\n <key>Label</key>\n <string>com.neptune.agent</string>\n <key>RunAtLoad</key>\n <true/>\n <key>KeepAlive</key>\n <true/>\n <key>NetworkState</key>\n <true/>\n <key>WorkingDirectory</key>\n <string>WORKING_DIRECTORY_HERE</string>\n <key>Program</key>\n <string>AGENT_PATH_HERE</string>\n <key>UserName</key>\n <string>AGENT_USER_HERE</string>\n <key>ExitTimeOut</key>\n <integer>2</integer>\n </dict>\n</plist>", "language": "xml" } ] } [/block] [block:callout] { "type": "info", "title": "Next : Learn how to manage and update your Neptune agent", "body": "[Agent adminstration](doc:agent-administration)" } [/block]