0

I require a sudoers to be able to execute following command

sudo -u myAppUser /opt/myapp/bin/myapp.Console.pl Admin::User::Add <some optional parameters>

I've created a group myAppExecGroup and added myTestUser to the group

Cmnd_Alias              MYAPPADDCMD = /opt/myapp/bin/myapp.Console.pl Admin\:\:User\:\:Add *

%myAppExecGroup ALL= (myAppUser) NOPASSWD: MYAPPADDCMD

as a counter test I tried this simple reboot, which works well

Cmnd_Alias              POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
%myAppExecGroup ALL= (root) NOPASSWD: POWER

also tried this, which is not working at all and asks for password

Cmnd_Alias              IFCONFIG = /sbin/fdisk --list
%myAppExecGroup ALL= (root) NOPASSWD: IFCONFIG

So I am not clear if I have a general lack of understanding or if I am facing a usage issue, which is hindering my requirement?

update 1:

this script can simulate the above named command

mkdir -p /opt/myapp/bin/
echo > /opt/myapp/bin/myapp.Console.pl
chmod 755 /opt/myapp/bin/myapp.Console.pl
tee -a /opt/myapp/bin/myapp.Console.pl <<EOF
#!/bin/bash
echo \$@
echo \$USER
EOF

update 2:

if using root instead of myAppUser

%myAppExecGroup ALL= (root) NOPASSWD: MYAPPADDCMD

the command executes. But I require myAppUser environment?!?

cilap
  • 277
  • 5
  • 14
  • https://unix.stackexchange.com/questions/356421/how-to-include-a-colon-in-specific-command-sudoers-entry#356424 – Gerald Schneider Sep 08 '22 at 11:01
  • I found the link before I posted my question. I am not clear what you want to refer here too? Escaping is done? – cilap Sep 08 '22 at 13:18

1 Answers1

0

I believe the problem with fdisk is with the path, try which fdisk to check the right path (I have it under /usr/sbin/fdisk)

The problem with your command is the space before the *, by writing ...User\:\:Add * you imply optional parameters are mandatory, if you remove the space:

Cmnd_Alias              MYAPPADDCMD = /opt/myapp/bin/myapp.Console.pl Admin\:\:User\:\:Add*

it should accept your command with and without parameters

Luca Ricci
  • 65
  • 1
  • 6
  • same behaviour, requests for password – cilap Sep 08 '22 at 17:47
  • i have updated my question, to give an option to simulate the command. – cilap Sep 08 '22 at 17:55
  • thanks, I did created a similar one already to test my answer before post it. the only other reason I can think of is: is the user trying to sudo in the myAppExecGroup group? (did you tried to check fdisk actual path?) – Luca Ricci Sep 12 '22 at 07:24
  • sure I require it in a group. Is your command working too if you add the user into a group and allow the group? Can you share your test too? – cilap Sep 13 '22 at 05:15
  • it did work with group as well, my sudo config are just like yours but with Cmnd_Alias without space as I did quote it in the answer. One important question: you call the script with the full path or do you have /opt/myapp/bin in your path and then use myapp.Console.pl? If you do, can you paste the result of ```which myapp.Console.pl``` from both the user using sudo and myAppUser? – Luca Ricci Sep 13 '22 at 11:10
  • can you please share full configuration incl. script? not working at my end. – cilap Sep 13 '22 at 16:45