Sudo

From NovaOrdis Knowledge Base
Revision as of 13:49, 15 March 2017 by Ovidiu (talk | contribs)
Jump to navigation Jump to search

Internal


!!!sudo

!!!External

!!!Internal

|[Linux]


!!!Overview

Template:Sudo runs a command as the root (the default), without needing the root password:

{{{

   sudo service some-service stop

}}}

Template:Sudo can run a command as another user than root, if 'Template:-u user' is specified:

{{{

   sudo -u some-user some-command

}}}

Extensive information about how sudo is configured to run:

{{{

   # as root
   sudo -V

}}}


!!!Options


!!-n

Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.


!!-u

{{{ -u user }}}



!!!Giving "sudo" to a user

Only use Template:Visudo to edit Template:/etc/sudoers __as root__. From Template:Visudo add:

{{{

webr rangiroa= NOPASSWD: /home/webr/*/bin/apachectl

}}}

to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.

__Note__: to debug sudo privileges, run Template:Sudo -l as the user you're trying to sudo from.

!!Allow user 'ec' to run all commands as root without a password

{{{ ec ALL=(ALL) NOPASSWD: ALL }}}

Equivalent:

{{{ ec ALL=NOPASSWD:ALL }}}

Next time I am here, decipher the syntax and understand what all ALLs mean.

!!!Listing the Commands Allowed to run as Sudo

{{{

     sudo -ll [-U <user>]

}}}

!!!Running servers as their own user who has Template:/sbin/nologin

This example is about running a wiki (tomcat) as the user 'wiki', which has Template:/sbin/nologin.

1. Make sure the user has Template:/sbin/nologin in Template:/etc/passwd.

2. Configure user's Template:~/.bash profile and Template:~/.bashrc as the user would have shell access.

It is important to define all environment variables required during server's operation, as they are __NOT__ inherited from root's.

Example: JAVA_HOME, etc.

3. Modify Template:/etc/init.d startup script as follows:

{{{

   ...
   start() {
       sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"
   ...
   stop() {
       sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"
   ...

}}}


!!!"sudo: sorry, you must have a tty to run sudo"

!!If sudo is run over ssh

Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:

{{{

      ssh -t ofeodorov@10.153.161.41 sudo /bin/bash -c "..."

}}}

The essential part is "-t".

More details: [2]

!!If sudo is NOT run over ssh (as part of a systemd script)

sudo behaves that way because the /etc/sudoers file has

{{{ Defaults requiretty }}}

which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.


!!!Multiple commands with sudo over ssh


It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:

{{{

      ssh -t ofeodorov@10.153.161.41 sudo -n /bin/bash -c "id -un; hostname"

}}}


This will print "root" and the remote host name.


For a complex example that works, see [3]

__Referenced by:__\\ [{INSERT com.ecyrd.jspwiki.plugin.ReferringPagesPlugin WHERE max=20, maxwidth=50}]