(AWS) Security implications of adding an exclusion for user:wsgi in sudoers

Question

While setting up a script to convert documents to PDF using libreoffice on AWS, I can't get libreoffice to --convert-to pdfwithout sudo as perhaps the user wsgi does not have write permissions to the /opt/python/current/app directory.

So I plan to solve this by appending the following line to the /etc/sudoers file:

wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin

As I want to automate this while deploying, in my .ebextensions/01_packages.config I have

container_commands:
  01_edit_sudoers_only_once:
        command: "echo 'wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin' >> /etc/sudoers"
        test: "test ! -f .sudoers_edited"

  02_mark_sudoers_as_edited:
        command: "touch .sudoers_edited"

Is there a potential security issue with this?

Does this belong on serverfault instead? – Pranab Jun 14 '17 at 03:23 — Pranab, Jun 14 '17 at 03:23

score 1 · Accepted Answer · answered Jun 14 '17 at 12:09

1

There is a significant potential security issue with giving a web service process the ability to invoke things with sudo.

Giving it permission to write to directories containing code would also be unsafe.

You really need to identify what's being denied and why that matters. If error messages aren't sufficiently clear, you could use strace to observe the processes system calls and the resulting errors.

answered Jun 14 '17 at 12:09

Michael - sqlbot

169,571
25
353
427

+1 for strace tip. I will try to figure out why it isn't working without sudo. Also I will write the PDFs into a separate directory outside the code directories. – Pranab Jun 15 '17 at 07:40

(AWS) Security implications of adding an exclusion for user:wsgi in sudoers

1 Answers1