Sudo: Difference between revisions
(Created page with "=Internal= * Linux") |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | |||
* http://www.sudo.ws/man/1.8.12/sudo.man.html | |||
=Internal= | =Internal= | ||
* [[Linux#Commands|Linux]] | * [[Linux#Commands|Linux]] | ||
=Overview= | |||
<tt>sudo</tt> runs a command as the root (the default), without needing the root password: | |||
<pre> | |||
sudo service some-service stop | |||
</pre> | |||
<tt>sudo</tt> can run a command as another user than root, if '<tt>-u user</tt>' is specified: | |||
<pre> | |||
sudo -u some-user some-command | |||
</pre> | |||
Extensive information about how sudo is configured to run: | |||
<pre> | |||
# as root | |||
sudo -V | |||
</pre> | |||
=Options= | |||
==-n== | |||
Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit. | |||
==-u== | |||
-u user | |||
==-E, --preserve-env== | |||
Indicates to the security policy that the user wishes to preserve their existing environment variables. | |||
==-S, --stdin== | |||
Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. The password must be followed by a newline character. | |||
=Giving "sudo" to a user= | |||
==Modify /etc/sudoers== | |||
Use <tt>visudo</tt> only to edit <tt>/etc/sudoers</tt> '''as root'''. From <tt>visudo</tt> add: | |||
webr rangiroa= NOPASSWD: /home/webr/*/bin/apachectl | |||
to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts. | |||
'''Note''': to debug sudo privileges, run <tt>sudo -l</tt> as the user you're trying to sudo from. | |||
==Allow a user to run all commands as root without a password== | |||
Use <tt>visudo</tt> only to edit <tt>/etc/sudoers</tt> '''as root'''. From <tt>visudo</tt> add: | |||
ec ALL=(ALL) NOPASSWD: ALL | |||
This works both on Linux and Mac. | |||
<font color=red> | |||
Equivalent: | |||
ec ALL=NOPASSWD:ALL | |||
Next time I am here, decipher the syntax and understand what all ALLs mean. | |||
</font> | |||
==Add /etc/sudoers.d File== | |||
For this to work, /etc/sudoers must contain: | |||
#includedir /etc/sudoers.d | |||
Add a /etc/sudoers.d/010_testuser with the following content: | |||
testuser ALL=(ALL) NOPASSWD: ALL | |||
=Listing the Commands Allowed to run as Sudo= | |||
<pre> | |||
sudo -ll [-U <user>] | |||
</pre> | |||
=Running servers as their own user who has <tt>/sbin/nologin</tt>= | |||
This example is about running a wiki (tomcat) as the user 'wiki', which has <tt>/sbin/nologin</tt>. | |||
1. Make sure the user has <tt>/sbin/nologin</tt> in <tt>/etc/passwd</tt>. | |||
2. Configure user's <tt>~/.bash_profile<tt> and <tt>~/.bashrc</tt> as the user would have shell access. | |||
It is important to define all environment variables required during server's operation, as they are '''NOT''' inherited from root's. | |||
Example: JAVA_HOME, etc. | |||
3. Modify <tt>/etc/init.d</tt> startup script as follows: | |||
<pre> | |||
... | |||
start() { | |||
sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" | |||
... | |||
stop() { | |||
sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" | |||
... | |||
</pre> | |||
="sudo: sorry, you must have a tty to run sudo"= | |||
==If sudo is run over ssh== | |||
Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows: | |||
<pre> | |||
ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..." | |||
</pre> | |||
The essential part is "-t". | |||
More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password | |||
==If sudo is NOT run over ssh (as part of a systemd script)== | |||
sudo behaves that way because the /etc/sudoers file has | |||
<pre> | |||
Defaults requiretty | |||
</pre> | |||
which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining. | |||
=Multiple commands with sudo over ssh= | |||
It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh: | |||
<pre> | |||
ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname" | |||
</pre> | |||
This will print "root" and the remote host name. | |||
For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update |
Latest revision as of 23:38, 17 March 2020
External
Internal
Overview
sudo runs a command as the root (the default), without needing the root password:
sudo service some-service stop
sudo can run a command as another user than root, if '-u user' is specified:
sudo -u some-user some-command
Extensive information about how sudo is configured to run:
# as root sudo -V
Options
-n
Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.
-u
-u user
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing environment variables.
-S, --stdin
Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. The password must be followed by a newline character.
Giving "sudo" to a user
Modify /etc/sudoers
Use visudo only to edit /etc/sudoers as root. From visudo add:
webr rangiroa= NOPASSWD: /home/webr/*/bin/apachectl
to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.
Note: to debug sudo privileges, run sudo -l as the user you're trying to sudo from.
Allow a user to run all commands as root without a password
Use visudo only to edit /etc/sudoers as root. From visudo add:
ec ALL=(ALL) NOPASSWD: ALL
This works both on Linux and Mac.
Equivalent:
ec ALL=NOPASSWD:ALL
Next time I am here, decipher the syntax and understand what all ALLs mean.
Add /etc/sudoers.d File
For this to work, /etc/sudoers must contain:
#includedir /etc/sudoers.d
Add a /etc/sudoers.d/010_testuser with the following content:
testuser ALL=(ALL) NOPASSWD: ALL
Listing the Commands Allowed to run as Sudo
sudo -ll [-U <user>]
Running servers as their own user who has /sbin/nologin
This example is about running a wiki (tomcat) as the user 'wiki', which has /sbin/nologin.
1. Make sure the user has /sbin/nologin in /etc/passwd.
2. Configure user's ~/.bash_profile and ~/.bashrc as the user would have shell access.
It is important to define all environment variables required during server's operation, as they are NOT inherited from root's.
Example: JAVA_HOME, etc.
3. Modify /etc/init.d startup script as follows:
... start() { sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" ... stop() { sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out" ...
"sudo: sorry, you must have a tty to run sudo"
If sudo is run over ssh
Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:
ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."
The essential part is "-t".
More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password
If sudo is NOT run over ssh (as part of a systemd script)
sudo behaves that way because the /etc/sudoers file has
Defaults requiretty
which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.
Multiple commands with sudo over ssh
It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:
ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"
This will print "root" and the remote host name.
For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update