13

I need to allow a specific command on a Debian Linux box for a single user. I've tried this in the /etc/sudoers file:

# User privilege specification zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'

This does not work as expected. If I run the command as user zabbix with sudo, it asks for the password (although I have specified the NOPASSWD option).

However, this works:

# User privilege specification zabbix ALL=NOPASSWD: /usr/bin/apt-get

But has the drawback that all subcommands of apt-get are allowd. Is there a way how I can fix this to only allow a specific command?

Improve this question

2 Answers 2

Reset to default
10

I disagree with lain. Although it will work, You do not need awk to run as root. I would not be comfortable with this because you might be able to attack awk in some way. It is a full programming language interpreter after all.

When one runs sudo /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}', They are actually running sudo /usr/bin/apt-get --print-uris -qq -y upgrade and then piping/redirecting as the calling user.

Try this: zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade

By the way, there is nothing wrong with putting this in a script as lain does and you could still do that. I would just avoid running awk as root if possible.

Improve this answer
1
  • 1
    You're correct but if the script is insecure then it doesn't matter what's in it, it can be overwritten and the world is your oyster. If the script is secure then what's in it is secure too. Commented Feb 15, 2013 at 15:28
25

You are probably falling foul of the way that redirection interacts with sudo. The redirection is performed at the calling user not the privileged user. It would probably be easier for you to wrap you command in a script and to then allow the zabbix user to run that script e.g.

#!/bin/bash /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'

the set sudoers as

zabbix ALL=NOPASSWD: /path/to/script

Now the whole script will be run as the privileged user and not just the particular apt-get command. Do though ensure that the zabbix user cannot write to the script.

Improve this answer
4
  • 1
    Someone can probably correct me if sudo already takes care of it (I seem to recall having issues with env variables not being passed), but I'd suggest making awk and wc have their fullpaths as a general best practice for scripts so a user can't do export PATH=~user/bin:$PATH and stick whatever commands the want in a script called awk (or wc) in ~user/bin Commented Feb 14, 2013 at 23:44
  • @Foon: I think you're confusing sudo with cron. Commented Feb 15, 2013 at 7:30
  • 1
    Not confusing it, but superuser.com/questions/232231/… does indicate that sudo prevents PATH manipulation (and LD_LIBARRAY_PATH by default) Commented Feb 15, 2013 at 12:58
  • I did something similar only I suid'd the evoking script & made it writable only by root. Test if it works for the user with permissions 711, then they can't even see what it's doing to try and circumvent it. Commented Jan 21, 2014 at 6:44

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.