0

i have problem with linux (ubuntu 16.04) permissions and command execution.

/etc/sudoers file:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d (this dir is empty)
jenkins ALL=(deployer) NOPASSWD: ALL
deployer ALL=NOPASSWD:/etc/init.d/php7.0-fpm reload,/bin/kill,/bin/ps,/bin/grep,/usr/bin/awk,/usr/bin/xargs

I need to run this command, i am looged as user jenkins:

sudo -u deployer kill -9 $(ps aux | grep /data/web/test1 | grep -v grep | awk {'print $2'})

This command has to kill 2 processes. But when i run it like this, i get exit status 1. I dont know why and i cant find any logged error messages ...

When i log in as deployer user and run this command, everything is ok:

kill -9 $(ps aux | grep /data/web/test1 | grep -v grep | awk {'print $2'})

Processes i need to kill looks like:

www-data 48689  0.0  1.6 306184 33872 ?        Ss   14:26   0:00 /usr/bin/php /data/web/test1/xxx
www-data 48690  0.0  1.6 306184 34108 ?        Ss   14:26   0:00 /usr/bin/php /data/web/test1/yyy

I find out that problem is only with kill command but i really dont know why.

Samuel Kelemen
  • 3
  • 1

2 Answers2

3

Your problem is that the process is running as "www-data" and you're switching to the "deployer" user. The only "user" who can kill processes not owned by them is root.

Try the following in your sudoers

jenkins ALL=(www-data) NOPASSWD: ALL

Then as your command

sudo -u www-data pkill --signal 9 -f /data/web/test1

The other thing I can think of is your deployer sudo rule

deployer ALL=NOPASSWD:/etc/init.d/php7.0-fpm reload,/bin/kill,/bin/ps,/bin/grep,/usr/bin/awk,/usr/bin/xargs

That rule translates to

/etc/init.d/php7.0-fpm reload
/bin/kill
/bin/ps
/bin/grep
/usr/bin/awk
/usr/bin/xargs

Your kill command doesn't have any options to it. You would need

deployer ALL=NOPASSWD:/etc/init.d/php7.0-fpm reload,/bin/kill *,/bin/ps,/bin/grep,/usr/bin/awk,/usr/bin/xargs
Timothy c
  • 396
  • 1
  • 8
0

Try with the -s switch. Like that:

sudo -u deployer -s kill -9 $(ps aux | grep /data/web/test1 | grep -v grep | awk {'print $2'})
mrc02_kr
  • 164
  • 7
  • Result is: /bin/bash: line 0: kill: (48689) - Operation not permitted – Samuel Kelemen Jul 05 '17 at 13:36
  • Ok. Can you put /bin/kill instead of kill? Sudeoers file seems to be fine – mrc02_kr Jul 05 '17 at 14:21
  • Same result. But when i run command `sudo -u deployer sudo kill -9 $(ps aux | grep /data/web/test1 | grep -v grep | awk '{print $2}')` everything runs ok. But i dont understand why i have to use sudo 2 times ... – Samuel Kelemen Jul 05 '17 at 14:34
  • As you can see, if you are logged as a deployed, kill doesn't require sudo to run. Maybe because in sudoers file you specified commands allowed for deployer account. Try to comment deployer line and run sudo from jenkins account – mrc02_kr Jul 05 '17 at 14:48
  • When i remove deployer line from sudoers file and run command with `sudo -u deployer kill ...` from jenkins i get exit status 1. If i run `sudo -u deployer sudo kil ...` from jenkins it asks me for deployer password. – Samuel Kelemen Jul 05 '17 at 15:02
  • Can you also try: jenkins ALL=(deployer) NOPASSWD: /etc/init.d/php7.0-fpm reload,/bin/kill,/bin/ps,/bin/grep,/usr/bin/awk,/usr/bin/xargs deployer ALL=NOPASSWD:ALL – mrc02_kr Jul 05 '17 at 15:03
  • I tried `jenkins ALL=(deployer) NOPASSWD: ALL deployer ALL=NOPASSWD: ALL` but command `sudo -u deployer kill -9 $(ps aux | grep /data/web/test1 | grep -v grep | awk '{print $2}')` still returns status code 1 ... – Samuel Kelemen Jul 05 '17 at 15:12
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/61610/discussion-between-mrc02-kr-and-samuel-kelemen). – mrc02_kr Jul 05 '17 at 15:23