Sudo: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
=External=
* http://www.sudo.ws/man/1.8.12/sudo.man.html
=Internal=
=Internal=


* [[Linux#Commands|Linux]]
* [[Linux#Commands|Linux]]


=Overview=


!!!sudo
<tt>sudo</tt> runs a command as the root (the default), without needing the root password:
 
!!!External
 
* [http://www.sudo.ws/man/1.8.12/sudo.man.html]
 
!!!Internal
 
|[Linux]
 
 
!!!Overview
 
{{sudo}} runs a command as the root (the default), without needing the root password:


{{{
<pre>
    sudo service some-service stop
sudo service some-service stop
}}}
</pre>


{{sudo}} can run a command as another user than root, if '{{-u user}}' is specified:
<tt>sudo</tt> can run a command as another user than root, if '<tt>-u user</tt>' is specified:


{{{
<pre>
    sudo -u some-user some-command
sudo -u some-user some-command
}}}
</pre>


Extensive information about how sudo is configured to run:
Extensive information about how sudo is configured to run:


{{{
<pre>
    # as root
# as root
    sudo -V
sudo -V
}}}
</pre>
 


!!!Options
=Options=


 
==-n==
!!-n


Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.
Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.


==-u==


!!-u
<pre>
 
{{{
-u user
-u user
}}}
</pre>
 
 
 
 
 
!!!Giving "sudo" to a user


Only use {{visudo}} to edit {{/etc/sudoers}} __as root__. From {{visudo}} add:
=Giving "sudo" to a user=


{{{
Use <tt>visudo</tt> only to edit <tt>/etc/sudoers</tt> '''as root'''. From <tt>visudo</tt> add:


<pre>
webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl
webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl
 
</pre>
}}}


to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.
to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.


__Note__: to debug sudo privileges, run {{sudo -l}} as the user you're trying to sudo from.
'''Note''': to debug sudo privileges, run <tt>sudo -l</tt> as the user you're trying to sudo from.


!!Allow user 'ec' to run all commands as root without a password
==Allow user 'ec' to run all commands as root without a password==


{{{
<pre>
ec  ALL=(ALL)  NOPASSWD: ALL
ec  ALL=(ALL)  NOPASSWD: ALL
}}}
</pre>


<font color=red>
<font color=red>
Equivalent:
Equivalent:


{{{
ec  ALL=NOPASSWD:ALL
ec  ALL=NOPASSWD:ALL
}}}


Next time I am here, decipher the syntax and understand what all ALLs mean.
Next time I am here, decipher the syntax and understand what all ALLs mean.
</font>
</font>


!!!Listing the Commands Allowed to run as Sudo
=Listing the Commands Allowed to run as Sudo=


{{{
<pre>
sudo -ll [-U <user>]
</pre>


      sudo -ll [-U <user>]
=Running servers as their own user who has <tt>/sbin/nologin</tt>=


}}}
This example is about running a wiki (tomcat) as the user 'wiki', which has <tt>/sbin/nologin</tt>.


!!!Running servers as their own user who has {{/sbin/nologin}}
1. Make sure the user has <tt>/sbin/nologin</tt> in <tt>/etc/passwd</tt>.


This example is about running a wiki (tomcat) as the user 'wiki', which has {{/sbin/nologin}}.
2. Configure user's <tt>~/.bash_profile<tt> and <tt>~/.bashrc</tt> as the user would have shell access.


1. Make sure the user has {{/sbin/nologin}} in {{/etc/passwd}}.
It is important to define all environment variables required during server's operation, as they are '''NOT''' inherited from root's.
 
2. Configure user's {{~/.bash_profile}} and {{~/.bashrc}} as the user would have shell access.
 
It is important to define all environment variables required during server's operation, as they are __NOT__ inherited from root's.


Example: JAVA_HOME, etc.
Example: JAVA_HOME, etc.


3. Modify {{/etc/init.d}} startup script as follows:
3. Modify <tt>/etc/init.d</tt> startup script as follows:


{{{
<pre>
     ...
     ...


Line 119: Line 98:


     ...
     ...
}}}
</pre>
 




!!!"sudo: sorry, you must have a tty to run sudo"
="sudo: sorry, you must have a tty to run sudo"=


!!If sudo is run over ssh
==If sudo is run over ssh==


Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:
Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:


{{{
<pre>
 
ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."
      ssh -t ofeodorov@10.153.161.41 sudo /bin/bash -c "..."
</pre>
 
}}}


The essential part is "-t".
The essential part is "-t".


More details: [http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password]
More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password


!!If sudo is NOT run over ssh (as part of a systemd script)
==If sudo is NOT run over ssh (as part of a systemd script)==


sudo behaves that way because the /etc/sudoers file has
sudo behaves that way because the /etc/sudoers file has


{{{
<pre>
Defaults requiretty
Defaults requiretty
}}}
</pre>


which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.
which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.
   
   
 
=Multiple commands with sudo over ssh=
!!!Multiple commands with sudo over ssh
 


It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:
It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:


{{{
<pre>
      ssh -t ofeodorov@10.153.161.41 sudo -n /bin/bash -c "id -un; hostname"
ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"
}}}
</pre>
 


This will print "root" and the remote host name.
This will print "root" and the remote host name.


 
For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update
For a complex example that works, see [https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update]
 
__Referenced by:__\\
[{INSERT com.ecyrd.jspwiki.plugin.ReferringPagesPlugin WHERE max=20, maxwidth=50}]

Revision as of 13:57, 15 March 2017

External

Internal

Overview

sudo runs a command as the root (the default), without needing the root password: 

sudo service some-service stop

sudo can run a command as another user than root, if '-u user' is specified: 

sudo -u some-user some-command

Extensive information about how sudo is configured to run: 

# as root
sudo -V

Options

-n

Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.

-u

-u user

Giving "sudo" to a user

Use visudo only to edit /etc/sudoers as root. From visudo add: 

webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl

to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.

Note: to debug sudo privileges, run sudo -l as the user you're trying to sudo from.

Allow user 'ec' to run all commands as root without a password

ec  ALL=(ALL)   NOPASSWD: ALL

Equivalent:

ec ALL=NOPASSWD:ALL

Next time I am here, decipher the syntax and understand what all ALLs mean.

Listing the Commands Allowed to run as Sudo

sudo -ll [-U <user>]

Running servers as their own user who has /sbin/nologin

This example is about running a wiki (tomcat) as the user 'wiki', which has /sbin/nologin.

1. Make sure the user has /sbin/nologin in /etc/passwd.

2. Configure user's ~/.bash_profile and ~/.bashrc as the user would have shell access.

It is important to define all environment variables required during server's operation, as they are NOT inherited from root's.

Example: JAVA_HOME, etc.

3. Modify /etc/init.d startup script as follows: 

    ...

    start() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...

    stop() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...


"sudo: sorry, you must have a tty to run sudo"

If sudo is run over ssh

Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows: 

ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."

The essential part is "-t".

More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password

If sudo is NOT run over ssh (as part of a systemd script)

sudo behaves that way because the /etc/sudoers file has 

Defaults requiretty

which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.

Multiple commands with sudo over ssh

It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh: 

ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"

This will print "root" and the remote host name.

For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update

Retrieved from "https://kb.novaordis.com/index.php?title=Sudo&oldid=18160"