An Issue With Shell command and sudoers rules

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

An Issue With Shell command and sudoers rules

Jorge Carrión
In our company, users are "standard" users, they can't update or make
administratives jobs. There is another user (the admin user) that can do
all that things... but users doesn't know the admin password.
Searching make standard users being able of update the sistem I've created
this script
on adminuser home /home/adminuser/bin/comando.sh

#!/bin/bash
echo $1|sudo -S $2

And I've add a new rules file in sudoers.d like this

Cmnd_Alias COMANDO = /home/adminuser/bin/comando.sh

ALL ALL = (adminuser) NOPASSWD:COMANDO

If you, as a non-sudoer user, type on a terminal

/home/administrador/bin/comando.sh adminpassword /usr/bin/apt update

works fine... but, *and this is the issue*, if you do the same from a
Gambas Shell command, doesn't work. Gamba's console show that the script is
asking for you (non sudoer) password and fails.

Seems that Gambas shell doesn't mind of sudoers directives. I am missing
something?

Best Regards
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: An Issue With Shell command and sudoers rules

Jorge Carrión
Oh... well, I'm afraid that I've a mistake.

All of this isn't a gambas issue.

BUT if someone knows a way to let a non-sudoer user to update the system
without know the admin password I'll be very grateful .

Sorry for the noise.

Best Regards


2017-05-25 10:16 GMT+02:00 Jorge Carrión <[hidden email]>:

> In our company, users are "standard" users, they can't update or make
> administratives jobs. There is another user (the admin user) that can do
> all that things... but users doesn't know the admin password.
> Searching make standard users being able of update the sistem I've created
> this script
> on adminuser home /home/adminuser/bin/comando.sh
>
> #!/bin/bash
> echo $1|sudo -S $2
>
> And I've add a new rules file in sudoers.d like this
>
> Cmnd_Alias COMANDO = /home/adminuser/bin/comando.sh
>
> ALL ALL = (adminuser) NOPASSWD:COMANDO
>
> If you, as a non-sudoer user, type on a terminal
>
> /home/administrador/bin/comando.sh adminpassword /usr/bin/apt update
>
> works fine... but, *and this is the issue*, if you do the same from a
> Gambas Shell command, doesn't work. Gamba's console show that the script is
> asking for you (non sudoer) password and fails.
>
> Seems that Gambas shell doesn't mind of sudoers directives. I am missing
> something?
>
> Best Regards
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: An Issue With Shell command and sudoers rules

T Lee Davidson
Disable (ie. comment out) targetpw and the "ALL  ALL=(ALL) ALL" line in /etc/sudoers.

Then you should probably allow regular users to execute only certain commands with something like:
%users  ALL=/home/adminuser/bin/comando.sh
or a special group for 'privileged' users:
%wheel  ALL=/home/adminuser/bin/comando.sh

See:
https://www.novell.com/support/kb/doc.php?id=7002705

--
Lee


On 05/25/2017 05:13 AM, Jorge Carrión wrote:

> Oh... well, I'm afraid that I've a mistake.
>
> All of this isn't a gambas issue.
>
> BUT if someone knows a way to let a non-sudoer user to update the system
> without know the admin password I'll be very grateful .
>
> Sorry for the noise.
>
> Best Regards

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: An Issue With Shell command and sudoers rules

Jorge Carrión
Thanks Lee. I think I've solved it. The solution is in that line.

Best Regards.

El 25 may. 2017 4:47 p. m., "T Lee Davidson" <[hidden email]>
escribió:

> Disable (ie. comment out) targetpw and the "ALL  ALL=(ALL) ALL" line in
> /etc/sudoers.
>
> Then you should probably allow regular users to execute only certain
> commands with something like:
> %users  ALL=/home/adminuser/bin/comando.sh
> or a special group for 'privileged' users:
> %wheel  ALL=/home/adminuser/bin/comando.sh
>
> See:
> https://www.novell.com/support/kb/doc.php?id=7002705
>
> --
> Lee
>
>
> On 05/25/2017 05:13 AM, Jorge Carrión wrote:
> > Oh... well, I'm afraid that I've a mistake.
> >
> > All of this isn't a gambas issue.
> >
> > BUT if someone knows a way to let a non-sudoer user to update the system
> > without know the admin password I'll be very grateful .
> >
> > Sorry for the noise.
> >
> > Best Regards
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Gambas-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/gambas-user
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user