Sudo

From NovaOrdis Knowledge Base
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

External

Internal

Overview

sudo runs a command as the root (the default), without needing the root password:

sudo service some-service stop

sudo can run a command as another user than root, if '-u user' is specified:

sudo -u some-user some-command

Extensive information about how sudo is configured to run:

# as root
sudo -V

Options

-n

Non-interactive. sudo avoids prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit.

-u

-u user

-E, --preserve-env

Indicates to the security policy that the user wishes to preserve their existing environment variables.

-S, --stdin

Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. The password must be followed by a newline character.

Giving "sudo" to a user

Modify /etc/sudoers

Use visudo only to edit /etc/sudoers as root. From visudo add:


webr    rangiroa= NOPASSWD: /home/webr/*/bin/apachectl

to give permission to run "/home/webr/httpd/bin/apachectl" on rangiroa, as root, without asking for webr's password either - which is good for automated scripts.

Note: to debug sudo privileges, run sudo -l as the user you're trying to sudo from.

Allow a user to run all commands as root without a password

Use visudo only to edit /etc/sudoers as root. From visudo add:

ec  ALL=(ALL)   NOPASSWD: ALL

This works both on Linux and Mac.

Equivalent:

ec ALL=NOPASSWD:ALL

Next time I am here, decipher the syntax and understand what all ALLs mean.

Add /etc/sudoers.d File

For this to work, /etc/sudoers must contain:

#includedir /etc/sudoers.d

Add a /etc/sudoers.d/010_testuser with the following content:

testuser ALL=(ALL) NOPASSWD: ALL

Listing the Commands Allowed to run as Sudo

sudo -ll [-U <user>]

Running servers as their own user who has /sbin/nologin

This example is about running a wiki (tomcat) as the user 'wiki', which has /sbin/nologin.

1. Make sure the user has /sbin/nologin in /etc/passwd.

2. Configure user's ~/.bash_profile and ~/.bashrc as the user would have shell access.

It is important to define all environment variables required during server's operation, as they are NOT inherited from root's.

Example: JAVA_HOME, etc.

3. Modify /etc/init.d startup script as follows:

    ...

    start() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/startup.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...

    stop() {
        sudo -H -u wiki /bin/bash --login -c "/home/wiki/tomcat/bin/shutdown.sh 2>&1 >> /home/wiki/tomcat/logs/catalina.out"

    ...


"sudo: sorry, you must have a tty to run sudo"

If sudo is run over ssh

Encountered this situation attempting to run sudo remotely with ssh. Got around it as follows:

ssh -t someuser@1.2.3.4 sudo /bin/bash -c "..."

The essential part is "-t".

More details http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password

If sudo is NOT run over ssh (as part of a systemd script)

sudo behaves that way because the /etc/sudoers file has

Defaults requiretty

which makes sudo require a TTY. If the configuration is removed, the sudo stops complaining.

Multiple commands with sudo over ssh

It seems that sudo cannot execute multiple commands, so we get around this limitation by getting it to execute bash -c "...", where we specify multiple commands after -c. This works with ssh:

ssh -t someuser@1.2.3.4 sudo -n /bin/bash -c "id -un; hostname"

This will print "root" and the remote host name.

For a complex example that works, see https://github.com/NovaOrdis/em/blob/master/src/main/bash/bin/commands/update