Sudo: Difference between revisions
Line 69: | Line 69: | ||
==Add /etc/sudoers.d File== | ==Add /etc/sudoers.d File== | ||
For this to work, /etc/sudoers must contain | For this to work, /etc/sudoers must contain: | ||
#includedir /etc/sudoers.d | #includedir /etc/sudoers.d | ||
Revision as of 19:29, 26 July 2018
External
Internal
Overview
sudo runs a command as the root (the default), without needing the root password:
sudo service some-service stop
sudo can run a command as another user than root, if '-u user' is specified:
sudo -u some-user some-command
Extensive information about how sudo is configured to run:
# as root sudo -V
Options
-n
Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.
-u
-u user
Giving "sudo" to a user
Modify /etc/sudoers
Use visudo only to edit /etc/sudoers as root. From visudo add:
webr rangiroa= NOPASSWD: /home/webr/*/bin/apachectl
to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.
Note: to debug sudo privileges, run sudo -l as the user you're trying to sudo from.
Allow a user to run all commands as root without a password
Use visudo only to edit /etc/sudoers as root. From visudo add:
ec ALL=(ALL) NOPASSWD: ALL
Equivalent:
ec ALL=NOPASSWD:ALL
Next time I am here, decipher the syntax and understand what all ALLs mean.
Add /etc/sudoers.d File
For this to work, /etc/sudoers must contain:
#includedir /etc/sudoers.d
Add a /etc/sudoers.d/010_testuser with the following content:
testuser ALL=(ALL) NOPASSWD: ALL
Listing the Commands Allowed to run as Sudo
sudo -ll [-U <user>]
Running servers as their own user who has /sbin/nologin
This example is about running a wiki (tomcat) as the user 'wiki', which has /sbin/nologin.
1. Make sure the user has /sbin/nologin in /etc/passwd.
2. Configure user's ~/.bash_profile and ~/.bashrc as the user would have shell access.
It is important to define all environment variables required during server's operation, as they are NOT inherited from root's.
Example: JAVA_HOME, etc.
3. Modify /etc/init.d startup script as follows:
... start() { sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" ... stop() { sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" ...
"sudo: sorry, you must have a tty to run sudo"
If sudo is run over ssh
Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:
ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."
The essential part is "-t".
More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password
If sudo is NOT run over ssh (as part of a systemd script)
sudo behaves that way because the /etc/sudoers file has
Defaults requiretty
which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.
Multiple commands with sudo over ssh
It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:
ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"
This will print "root" and the remote host name.
For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update