13

I need to allow a specific command on a Debian Linux box for a single user. I've tried this in the /etc/sudoers file:

# User privilege specification
zabbix  ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'

This does not work as expected. If I run the command as user zabbix with sudo, it asks for the password (although I have specified the NOPASSWD option).

However, this works:

# User privilege specification
zabbix  ALL=NOPASSWD: /usr/bin/apt-get

But has the drawback that all subcommands of apt-get are allowd. Is there a way how I can fix this to only allow a specific command?

Teun Zengerink
  • 199
  • 5
  • 13
Daniel
  • 3,047
  • 5
  • 22
  • 27

2 Answers2

25

You are probably falling foul of the way that redirection interacts with sudo. The redirection is performed at the calling user not the privileged user. It would probably be easier for you to wrap you command in a script and to then allow the zabbix user to run that script e.g.

#!/bin/bash
/usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'

the set sudoers as

zabbix  ALL=NOPASSWD: /path/to/script

Now the whole script will be run as the privileged user and not just the particular apt-get command. Do though ensure that the zabbix user cannot write to the script.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • 1
    Someone can probably correct me if sudo already takes care of it (I seem to recall having issues with env variables not being passed), but I'd suggest making awk and wc have their fullpaths as a general best practice for scripts so a user can't do export PATH=~user/bin:$PATH and stick whatever commands the want in a script called awk (or wc) in ~user/bin – Foon Feb 14 '13 at 23:44
  • @Foon: I think you're confusing sudo with cron. – user9517 Feb 15 '13 at 07:30
  • 1
    Not confusing it, but http://superuser.com/questions/232231/how-do-i-make-sudo-preserve-my-environment-variables does indicate that sudo prevents PATH manipulation (and LD_LIBARRAY_PATH by default) – Foon Feb 15 '13 at 12:58
  • I did something similar only I suid'd the evoking script & made it writable only by root. Test if it works for the user with permissions 711, then they can't even see what it's doing to try and circumvent it. – Krista K Jan 21 '14 at 06:44
10

I disagree with lain. Although it will work, You do not need awk to run as root. I would not be comfortable with this because you might be able to attack awk in some way. It is a full programming language interpreter after all.

When one runs sudo /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}', They are actually running sudo /usr/bin/apt-get --print-uris -qq -y upgrade and then piping/redirecting as the calling user.

Try this: zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade

By the way, there is nothing wrong with putting this in a script as lain does and you could still do that. I would just avoid running awk as root if possible.

user606723
  • 544
  • 1
  • 4
  • 10
  • 1
    You're correct but if the script is insecure then it doesn't matter what's in it, it can be overwritten and the world is your oyster. If the script is secure then what's in it is secure too. – user9517 Feb 15 '13 at 15:28