haproxy and socat sudo

Question

I created a test user and want to limit this "test" user to run only the following command via visudo.

echo "show stat" | socat stdio /var/run/haproxy.sock

visudo

test    ALL=(root)NOPASSWD:/usr/bin/socat stdio /var/run/haproxy.sock

ls -lat /var/run/haproxy.sock

srwxr-xr-x 1 munin haproxy 0 May 22 22:32 /var/run/haproxy.sock

I ran the following command

test#sudo echo "show stat" | socat stdio /var/run/haproxy.sock

The error message

2013/05/22 23:13:14 socat[21289] E connect(3, AF=1 "/var/run/haproxy.sock", 23): Permission denied

May I know what was incorrectly configured in visudo

score 7 · Answer 1 · answered May 22 '13 at 15:15

7

The echo is running as root, but the socat isn't. Try this instead:

echo "show stat" | sudo socat stdio /var/run/haproxy.sock

answered May 22 '13 at 15:15

Flup

score 4 · Accepted Answer · answered May 22 '13 at 15:16

4

In your pipe, only echo is run with elevated privileges, I believe you need a sudo before socat.

answered May 22 '13 at 15:16

Kyle Brandt

score 1 · Answer 3 · edited Aug 07 '16 at 08:36

1

You can define a normal (non-privileged) unix socket like:

    stats socket /var/run/haproxy/socket.sock mode 666

edited Aug 07 '16 at 08:36

Law29

answered Aug 07 '16 at 07:40

score 0 · Answer 4 · edited Sep 17 '19 at 15:57

0

You can avoid permission denied if you change configuration like below.

stats socket /var/run/haproxy/socket.sock level admin

Result:

echo "set server"|nc -U /var/run/haproxy/socket.sock
Require 'backend/server'

edited Sep 17 '19 at 15:57

kenlukas

answered Sep 17 '19 at 09:06

zino.k

4 Answers4