[Freeipa-users] Help with sudo permission for a command

Ryan Whalen rwhalen at paperlesspost.com
Wed Aug 31 14:23:53 UTC 2016 

Hey Pavel,

Thanks for the reply! It's not exactly that I want to allow any command to
be run as app_user. The command I actually want to run is very long, and
complicated and wouldn't mean much in this context, so I simplified my
example. The problem is that *any command *I run will fail, wether or not
they already have the permissions to run said command.

The exact command that I want to run *will work* if I `sudo su - app_user`
and then run the command in the new shell for `app_user`.  It *wont work* if
I try to run `sudo su - app_user -c <command>`. So the user has the
permissions to run the command. it just wont work with the `-c` option.

So thats where I'm stuck. From my perspective they should have all the
permissions that they need. They have sudo privileges to `sudo su -
app_user -c` as well as the specific command that I want to be run.

Thanks

Ryan

On Wed, Aug 31, 2016 at 4:51 AM, Pavel Březina <pbrezina at redhat.com> wrote:

> On 08/30/2016 05:08 PM, Ryan Whalen wrote:
>
>> Hi All,
>>
>> Im having an issue getting a command to run properly, and the issue
>> seems to be with Freeipa sudo permissions. Specifically 'sudo su -
>> app_user -c "<command>"' prompts for a password when run.
>>
>> However if I 'sudo su - app_user' and then run the '<command>' as
>> app_user, it works fine.
>>
>> example:
>> ```
>> $ ssh ryan at production-server.pp
>> Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15
>> ryan$ sudo su - app_user -c "df"
>> [sudo] password for ryan:
>> ^C
>> ryan$ sudo su - app_user
>> app_user$ df
>> Filesystem           1K-blocks     Used Available Use% Mounted on
>> /dev/sda3             14845784  6667296   7417708  48% /
>> tmpfs                  1474228        0   1474228   0% /dev/shm
>> /dev/sda1               487652    81221    380831  18% /boot
>> 10.51.0.34:/srv/nfs/app
>>                       287687168 69111040 218576128  25% /var/app
>> 10.51.0.54:/srv/nfs/ipa
>>                        16377088  3728640  11809792  24% /home/ipa
>> ap_user$
>> ```
>>
>> I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
>> app_user -c` but I cant get the `-c` to work in a single command. I also
>> tried giving sudo permission to `/bin/bash` in case the `-c` needed it
>> to create a new shell for some reason, but it didn't work.
>>
>> Does anyone have any thoughts on what permissions I might be missing to
>> allow the user to run `sudo su - app_user -c <command>`?
>>
>> Thanks,
>> Ryan
>>
>>
>>
> Try to allow /bin/su - app_user -c '*'
>
> If I understand you correctly, you want to allow user to run any command
> as app_user. You can do it also by creating a rule that allows to run any
> command and run it as app_user.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/c0165dd4/attachment.htm>

More information about the Freeipa-users mailing list