skip to Main Content

I created an Ubuntu VM on GCP Compute Engine.

Some details:

-> (ubuntu-minimal-2204-jammy-v20220810)

 Machine type
    e2-micro
CPU platform
    Intel Broadwell
Architecture
    x86/64

I added one user using SSH keys. This user can properly access to the VM, no problem here.
But he can also become root like this:

# he resets the root password
sudo passwd

# the he can become root using the freshly created password
su 

How can I prevent this ?

I tried to remove this user from the sudoers but without success:

root@vm_test:/home/user# sudo deluser user_test sudo
/usr/sbin/deluser: The user `user_test' is not a member of group `sudo'.

EDIT:
My sudoers config file looks like this. I might modify it to restrict access. But I don’t understand how.

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

2

Answers


  1. In IAM, give them roles/compute.osLogin, not roles/compute.osAdminLogin or roles/compute.instanceAdmin.

    Login or Signup to reply.
  2. The SSH Access method that you are using (Manage SSH keys in metadata) leverages the access management to a directory service; if you want to control the access level to your instance(s) using Google’s Identity Service, you need to use the OS Login method instead.

    Here is an example granting normal user access to an instance named ‘ubuntu-test’ to the user ‘[email protected]’:

    gcloud compute instances add-iam-policy-binding ubuntu-test 
        --member='user:[email protected]' 
        --role='roles/compute.osLogin' 
        --zone=<instance_zone>
    

    Note: Unlike the Manage SSH key method, in the OS Login method the user must exist in the GCP database in order to properly assign the permissions.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search