Sudo: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=Internal= * Linux")
 
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
* http://www.sudo.ws/man/1.8.12/sudo.man.html
=Internal=
=Internal=


* [[Linux#Commands|Linux]]
* [[Linux#Commands|Linux]]
=Overview=
<tt>sudo</tt> runs a command as the root (the default), without needing the root password:
<pre>
sudo service some-service stop
</pre>
<tt>sudo</tt> can run a command as another user than root, if '<tt>-u user</tt>' is specified:
<pre>
sudo -u some-user some-command
</pre>
Extensive information about how sudo is configured to run:
<pre>
# as root
sudo -V
</pre>
=Options=
==-n==
Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.
==-u==
-u user
==-E, --preserve-env==
Indicates to the security policy that the user wishes to preserve their existing environment variables.
==-S, --stdin==
Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. The password must be followed by a newline character.
=Giving "sudo" to a user=
==Modify /etc/sudoers==
Use <tt>visudo</tt> only to edit <tt>/etc/sudoers</tt> '''as root'''. From <tt>visudo</tt> add:
webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl
to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.
'''Note''': to debug sudo privileges, run <tt>sudo -l</tt> as the user you're trying to sudo from.
==Allow a user to run all commands as root without a password==
Use <tt>visudo</tt> only to edit <tt>/etc/sudoers</tt> '''as root'''. From <tt>visudo</tt> add:
ec  ALL=(ALL)  NOPASSWD: ALL
This works both on Linux and Mac.
<font color=red>
Equivalent:
ec  ALL=NOPASSWD:ALL
Next time I am here, decipher the syntax and understand what all ALLs mean.
</font>
==Add /etc/sudoers.d File==
For this to work, /etc/sudoers must contain:
#includedir /etc/sudoers.d
Add a /etc/sudoers.d/010_testuser with the following content:
testuser ALL=(ALL) NOPASSWD: ALL
=Listing the Commands Allowed to run as Sudo=
<pre>
sudo -ll [-U <user>]
</pre>
=Running servers as their own user who has <tt>/sbin/nologin</tt>=
This example is about running a wiki (tomcat) as the user 'wiki', which has <tt>/sbin/nologin</tt>.
1. Make sure the user has <tt>/sbin/nologin</tt> in <tt>/etc/passwd</tt>.
2. Configure user's <tt>~/.bash_profile<tt> and <tt>~/.bashrc</tt> as the user would have shell access.
It is important to define all environment variables required during server's operation, as they are '''NOT''' inherited from root's.
Example: JAVA_HOME, etc.
3. Modify <tt>/etc/init.d</tt> startup script as follows:
<pre>
    ...
    start() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"
    ...
    stop() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"
    ...
</pre>
="sudo: sorry, you must have a tty to run sudo"=
==If sudo is run over ssh==
Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:
<pre>
ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."
</pre>
The essential part is "-t".
More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password
==If sudo is NOT run over ssh (as part of a systemd script)==
sudo behaves that way because the /etc/sudoers file has
<pre>
Defaults requiretty
</pre>
which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.
=Multiple commands with sudo over ssh=
It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:
<pre>
ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"
</pre>
This will print "root" and the remote host name.
For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update

Latest revision as of 23:38, 17 March 2020

External

Internal

Overview

sudo runs a command as the root (the default), without needing the root password:

sudo service some-service stop

sudo can run a command as another user than root, if '-u user' is specified:

sudo -u some-user some-command

Extensive information about how sudo is configured to run:

# as root
sudo -V

Options

-n

Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.

-u

-u user

-E, --preserve-env

Indicates to the security policy that the user wishes to preserve their existing environment variables.

-S, --stdin

Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. The password must be followed by a newline character.

Giving "sudo" to a user

Modify /etc/sudoers

Use visudo only to edit /etc/sudoers as root. From visudo add:


webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl

to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.

Note: to debug sudo privileges, run sudo -l as the user you're trying to sudo from.

Allow a user to run all commands as root without a password

Use visudo only to edit /etc/sudoers as root. From visudo add:

ec  ALL=(ALL)   NOPASSWD: ALL

This works both on Linux and Mac.

Equivalent:

ec ALL=NOPASSWD:ALL

Next time I am here, decipher the syntax and understand what all ALLs mean.

Add /etc/sudoers.d File

For this to work, /etc/sudoers must contain:

#includedir /etc/sudoers.d

Add a /etc/sudoers.d/010_testuser with the following content:

testuser ALL=(ALL) NOPASSWD: ALL

Listing the Commands Allowed to run as Sudo

sudo -ll [-U <user>]

Running servers as their own user who has /sbin/nologin

This example is about running a wiki (tomcat) as the user 'wiki', which has /sbin/nologin.

1. Make sure the user has /sbin/nologin in /etc/passwd.

2. Configure user's ~/.bash_profile and ~/.bashrc as the user would have shell access.

It is important to define all environment variables required during server's operation, as they are NOT inherited from root's.

Example: JAVA_HOME, etc.

3. Modify /etc/init.d startup script as follows:

    ...

    start() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...

    stop() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...


"sudo: sorry, you must have a tty to run sudo"

If sudo is run over ssh

Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:

ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."

The essential part is "-t".

More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password

If sudo is NOT run over ssh (as part of a systemd script)

sudo behaves that way because the /etc/sudoers file has

Defaults requiretty

which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.

Multiple commands with sudo over ssh

It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:

ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"

This will print "root" and the remote host name.

For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update