I'm trying to create a post install script for Linux and I want to have the script edit the sudoers file so that users wont need to do sudo visudo and edit it manually.
In the script I have:
if [[ ! `sudo -l -U "$user" 2>&1 | grep "ALL"` ]]; then
su -c "echo '$user ALL=(ALL) ALL' >> /etc/sudoers"
su -c "echo '$user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers"
fi
the problem with this is that when I sudo whoami after I run the script I get this output:
sudo: >>> /etc/sudoers: syntax error near line 31 <<<
sudo: parse error in /etc/sudoers near line 31
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
How do I do this without ruining my sudoers file?
EDIT:
As requested here is my sudoers file:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Mind that it is not possible to do cat /etc/sudoers after the script has run.
EDIT 2:
The solution is to define $user as user=$(whoami)
As the comment at the end of the default sudoers file suggests, you should create a new file in /etc/sudoers.d/.
Doing this from a (Debian) package's postinst seems fishy, though. Where does the value of user come from?
Also, any particular reason this user is not simply added to one of the existing groups, admin or sudoers?
My solution is to have the script ask the user to enter his password and store the value in a variable to be used along with Expect. The script installs Expect if it's not installed and then the script does:
read -p "Please enter your password: " PASSWD
export PASSWD
username=$USER
export username
if [[ ! `sudo -l -U "$USER" 2>&1 | grep "ALL"` ]]; then
expect -c '
spawn "su -c \"cat <<EOF >> /etc/sudoers.d/$env(username)
$env(username) ALL=(ALL:ALL) ALL
$env(username) ALL=(ALL) NOPASSWD:ALL
EOF
\"
"
expect "Password:\r"
send $env(PASSWD)
interact
'
fi
You can edit file /etc/sudoers through "pkexec visudo", after when you will delete bad line, sudo will be work.
Related
I'm trying to get terraform to create users for me other than the specified admin and also add them to sudoers to allow my ansible scripts to then run without requiring a sudo login. Optionally, if I could just allow my admin to login and not require sudo passowrd that would work as well since I can add the users I need via ansible.
I have attempted the only option I could find with my feeble googling skills. The option is to add a provisioner to my azurerm_virtual_machine resource that runs the following via remote-exec:
provisioner "remote-exec" {
inline = [
"useradd myuser && echo myuser:password123 | /usr/sbin/chpasswd",
"chmod +w /etc/sudoers && echo \"myuser ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers && chmod -w /etc/sudoers",
]
connection {
user = "myadmin"
agent = false
}
on_failure = "continue"
}
It says that it has successfully run however when I ssh to one of the boxes I provisioned these changes have not taken place. What am I doing wrong?
you can try this script.
#!/bin/bash
set -euo pipefail
USERNAME=$1 # sudo non-root username here
# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"
# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"
# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# if sshd -t -q; then systemctl restart sshd fi
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
I have added a user like this:
$ adduser --system --home /no/home --no-create-home --group --disabled-password --disabled-login testuser
Added a user to a group:
$ adduser testuser testgroup
added lines to sudoers (visudo):
testuser ALL=(ALL) NOPASSWD: ALL
%testgroup ALL=(ALL:ALL) NOPASSWD: ALL
When I try to run the bash script with the following content:
#!/bin/sh
sudo -u testuser /usr/bin/php /usr/local/bin/script.php
But when I run this script, I get the error in the log:
sudo: no tty present and no askpass program specified
Edit: requiretty is not in the sudoers file.
sudo permissions are about the user/group you are changing from not the user you are changing to.
So are those permission lines are letting the testuser user and the testgroup group run any command (as anyone) without a password.
You need to give permission to the user running the script to run commands as the testuser user for what you want.
Assuming that's what you meant to allow that is.
That error occurs when your sudoers file specifies requiretty. From the sudoers manpage:
requiretty If set, sudo will only run when the user is
logged in to a real tty. When this flag is set,
sudo can only be run from a login session and not
via other means such as cron(8) or cgi-bin scripts.
This flag is off by default.
To fix your error, remove requiretty from your sudoers file.
I fixed it by login to the server and append the following lines to the ssh-server configuration:
> vim /etc/ssh/sshd_config
Match User <your user name>
PermitTTY yes
So I don't need the -t options permanently.
I have this:
su $username -c ./script.sh
The problem is that within script I have 'sudo' commands and they says me
sudo: no tty present and no askpass program specified
How to do this right?
UPD: I need both sudo and su. What I need to do is run script as USER $username and be able to run certain commands within script as root (for example, pacman -S)
SOLUTION: I've added NOPASSWD option to /etc/sudoers before running script and delete this entry using sed after script finished.
First set chmod +x to your scripts
try:
#!/bin/bash
echo "hello"
su - <your-user> -c /path/to/script.sh
echo "good bye"
UPDATE:
You should find a way to force bash to use pseudo-tty
Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.
If the user is not as sudoers do the following steps:
This is what you need to do in /etc/sudoers:
# User privilege specification
root ALL=(ALL:ALL) ALL
newuser ALL=(ALL:ALL) ALL
you have also ways to do:
you can pipe password if it has password:
echo "yourpassword" | sudo -S
OR
You can run the following script:
#!/usr/bin/expect -f
spawn sudo -s <<EOF
expect "assword for username:"
send -- "user-password\r"
expect eof
Also you can do that:
sudo -kS bash - << EOF
password
whoami
echo "Not a good idea to have a password encoded in plain text"
EOF
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p