I created an Ubuntu VM on GCP Compute Engine.
Some details:
-> (ubuntu-minimal-2204-jammy-v20220810)
Machine type
e2-micro
CPU platform
Intel Broadwell
Architecture
x86/64
I added one user using SSH keys. This user can properly access to the VM, no problem here.
But he can also become root like this:
# he resets the root password
sudo passwd
# the he can become root using the freshly created password
su
How can I prevent this ?
I tried to remove this user from the sudoers
but without success:
root@vm_test:/home/user# sudo deluser user_test sudo
/usr/sbin/deluser: The user `user_test' is not a member of group `sudo'.
EDIT:
My sudoers config file looks like this. I might modify it to restrict access. But I don’t understand how.
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
2
Answers
In IAM, give them
roles/compute.osLogin
, notroles/compute.osAdminLogin
orroles/compute.instanceAdmin
.The SSH Access method that you are using (Manage SSH keys in metadata) leverages the access management to a directory service; if you want to control the access level to your instance(s) using Google’s Identity Service, you need to use the OS Login method instead.
Here is an example granting normal user access to an instance named ‘ubuntu-test’ to the user ‘[email protected]’:
Note: Unlike the Manage SSH key method, in the OS Login method the user must exist in the GCP database in order to properly assign the permissions.