Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a file with root permissions like this
[root#testbox ~]# ls -l /etc/resolv.conf
-rw-r--r-- 1 root root 113 Feb 21 21:29 /etc/resolv.conf
I have enabled passwordless sudo for my user using /etc/sudoer
%mayur ALL=(ALL) NOPASSWD: ALL
I want some way where if I try to edit this particular file I get blocked.
for eg .. I want to block these commands based on THE FILE NAME
$ echo 123 | sudo tee /etc/resolv.conf ## SHOULD GET BLOCKED
$ touch newfile | echo 123 > newfile | sudo cp newfile /etc/resolv.conf ## SHOULD GET BLOCKED
My Efforts:
%mayur ALL=(ALL) NOPASSWD: ALL,!/* /etc/resolv.conf
This did not help at all.
I also checked sudoers man page but it
seems regex support isnt that great.
Any things that works will help. Thanks.
EDIT: I want to be able to apply the solutions accross multiple servers with multiple users having sudo access
You can use a wrapper:
#!/bin/bash
declare -A EXCLUDE
while IFS= read -r FILE; do
EXCLUDE[$FILE]=.
done < /etc/sudoers.exclude-list
for ARG in "$#"; do
TARGET=$(exec /usr/bin/readlink -m -- "$ARG")
[[ -n $TARGET && -n ${EXCLUDE[$FILE]} ]] && {
echo "sudo: Sorry, target is not allowed: $TARGET"
exit 1
}
done
exec /path/to/real/sudo-in-secured-location "$#"
Where /etc/sudoers.exclude-list is a line-based list of absolute real file paths. Entries must not contain extra spaces and list must not be in DOS format.
This script must have same ownership and permissions as the real sudo.
Related
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I would like to run sudo with my password as parameter so that I can use it for a script. I tried
sudo -S mypassword execute_command
but without any success. Any suggestions?
The -S switch makes sudo read the password from STDIN. This means you can do
echo mypassword | sudo -S command
to pass the password to sudo
However, the suggestions by others that do not involve passing the password as part of a command such as checking if the user is root are probably much better ideas for security reasons
You can set the s bit for your script so that it does not need sudo and runs as root (and you do not need to write your root password in the script):
sudo chmod +s myscript
echo -e "YOURPASSWORD\n" | sudo -S yourcommand
One option is to use the -A flag to sudo. This runs a program to ask for the password. Rather than ask, you could have a script that just spits out the password so the program can continue.
# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I have been trying to enable logging in my OpenLDAP setup (in Oracle Enterprise Linux 6.5) , but no logs are being generated in /var/log/slapd/slapd.log.
Followed these steps to enable logging :
Edited the slapd.conf file :
# grep -i loglevel /etc/openldap/slapd.conf
loglevel -1
Did the setup for the log directory in /var/log/slapd
# cd /var/log/slapd ; ls -ltr
-rw------- 1 root root 217 May 21 19:48 slapd.log
Edited the rsyslog config file
# grep -i local4 /etc/rsyslog.conf
local4. /var/log/slapd/slapd.log*
restarted the openldap service and also the rsyslogger :
# service rsyslog restart
# service slapd restart
But even after doing these steps , we are not seeing logs captured in the slapd.log file . Only log seen is the below line :
more /var/log/slapd/slapd.log
May 21 19:48:12 sprdneval slapd[2961]: #(#) $OpenLDAP: slapd 2.4.39 (Aug 16 2014 20:41:55) $#012#011mockbuild#ca-buildj3.us
.oracle.com:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
Am i missing to do something blindingly obvious ?
Regards,
Hari
If you are using the OnLine Configuration (OLC) have a look at Zytrax. It explains quite well how to use and configure it.
Same problem here ('loglevel any' and 'logfile /var/log/slapd/slapd.log' options in slapd.conf and in the cn=config, but no debug output in the logfile).
I've just solved the problem by adding "-d any" to the command line arguments of the slapd
/usr/bin/slapd -d any -u ldap -g ldap -h "ldap://127.0.0.1/ ldaps:/// ldapi:///"
I see the same issue and posted my question at Serverfault about what '-s' option means.
If you see olcLogLevel setting at current config:
$ sudo grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif
olcLogLevel: 0
Then, you can change it by:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256
EOF
If you don't see olcLogLevel setting, then you need to newly create the entry. I haven't seen the case but I think it will be done by change 'changetype' above from 'modify' to 'add'.
My environment is CentOS7.9 so that the path would be different from yours.
You can do and check df -h to check disk space and delete heavy files which you do not require (like messages*.gz) from /var/log/ also empty the content of /var/log/slapd/slapd.log
Now you reboot your system and check service slapd status.
Hope ,it works now.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have written a bash script that goes to each machine and runs set of command. I am using the user iis that has sudo privlidges on that machine. However, when i run the sudo yum command i get sudo: sorry, you must have a tty to run sudo.
Not sure what is wrong ? I am using the -t command to force but it would still not work
bash script
#!/bin/bash
INPUT=ccidetails.csv
OLDIFS=$IFS
IFS=,
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read privateip password
do
echo $privateip
scp /home/Data/Test.c iis#$privateip:/tmp
sshpass -p$password </dev/null ssh -t -o "StrictHostKeyChecking no" iis#$privateip "
hostname
cd /tmp
gcc Test.c -o TEST
./TEST
sudo yum -y update glibc
gcc Test.c -o TEST
./TEST
exit
" >> output.txt
done < $INPUT
IFS=$OLDIFS
Error:
sudo: sorry, you must have a tty to run sudo
On remote host comment the line below on /etc/sudoers:
grep tty /etc/sudoers
#Defaults requiretty
That will allow you to continue. Make sure you understand the consequences of doing so:
man sudoers | grep -i requiretty -A 5
requiretty If set, sudo will only run when the user is logged in
to a real tty. When this flag is set, sudo can only be
run from a login session and not via other means such
as cron(8) or cgi-bin scripts. This flag is off by
default.
If you don't want disable requiretty globally you can disable it for a specific user:
example:
Defaults requiretty
Defaults:your_username_goes_here !requiretty
While this isn't a question for SO, you're almost there ... what you need to change is the number of -t above ... try this:
sshpass -p$password </dev/null ssh -ttt -o "StrictHostKeyChecking no" iis#$privateip "
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I have 2 linux machines. On one machine these are the users:
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
I want to replicate these to another machine. How can I create these users with same uid and gid values? Is there a way I can copy them to another machine?
First, create the group if it doesn't exist:
$ groupadd -g 4200 sysadmin2
Next, create the user and add it to the group:
$ useradd sysadmin2 -u 4201 -g 4200 -m -s /bin/bash
$ useradd appadmin1 -u 4100 -g 4100 -m -s /bin/bash
and don't forget to reset password for each user.
In summary and in general, you can use the useradd command to add users to a linux system. The -u flag allows you to set a specific user id and the -g flag allows you to set a specific group id. Please see useradd's manpage for more details -- on a terminal, type man useradd to see it.
Now, specifically about your problem, see below.
Assumming you have three groups on your original machine:
$ cat /etc/group
...
appadmins:x:4100:
sysadmins:x:4200:
dataadmins:x:4300:
...
On your destination/new machine, you should first create the groups using:
groupadd appadmins -g4100
groupadd sysadmins -g4200
groupadd dataadmins -g4300
Then, you can proceed to create the actual users like so:
useradd appadmin1 -u4100 -g4100 -d/home/appadmin1 -s/bin/bash
useradd appadmin2 -u4101 -g4100 -d/home/appadmin1 -s/bin/bash
useradd sysadmin1 -u4200 -g4200 -d/home/sysadmin1 -s/bin/bash
useradd sysadmin2 -u4201 -g4200 -d/home/sysadmin2 -s/bin/bash
useradd dataadmin1 -u4300 -g4300 -d/home/dataadmin1 -s/bin/bash
useradd dataadmin2 -u4301 -g4300 -d/home/dataadmin2 -s/bin/bash
The -d option is used to set the home directory and the -s option is used to set the shell. Again, -u and -g are used to set a specific user and group id.
To check that everything went correctly, just use grep admin on your /etc/passwd file:
$ grep admin /etc/passwd
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin1:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
If something is wrong, you can use userdel or groupdel accordingly and start over.
The account configure files could be shared by any Linux machine in same privileges. you could make a copy to that machine to have a same user list by this command:
scp /etc/{passwd,shadow} root#your_marchine_IP_address:/etc/ -p
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I would like to run sudo with my password as parameter so that I can use it for a script. I tried
sudo -S mypassword execute_command
but without any success. Any suggestions?
The -S switch makes sudo read the password from STDIN. This means you can do
echo mypassword | sudo -S command
to pass the password to sudo
However, the suggestions by others that do not involve passing the password as part of a command such as checking if the user is root are probably much better ideas for security reasons
You can set the s bit for your script so that it does not need sudo and runs as root (and you do not need to write your root password in the script):
sudo chmod +s myscript
echo -e "YOURPASSWORD\n" | sudo -S yourcommand
One option is to use the -A flag to sudo. This runs a program to ask for the password. Rather than ask, you could have a script that just spits out the password so the program can continue.
# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi