sudo -i通过sudoers文件不再具有特定权限
[英]sudo -i doesn't work anymore with specific permissions through sudoers file
问题描述
I had a bash script which called sudo -i -u user /bin/bla/whatever. 
我有一个名为sudo -i -u user / bin / bla / whatever的bash脚本。 That worked fine until the last update to CentOS 5.8. 在上次更新CentOS 5.8之前一直运行良好。 That's the corresponding entry in the sudoers file: 这是sudoers文件中的相应条目:
Runas_Alias TEST = user1, user2
Defaults:test always_set_home
test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever
If I used sudo -i it seems it called the command 如果我使用sudo -i它似乎叫它命令
"/bin/bash -c /bin/bla/whatever"
(regarding the secure log). (关于安全日志)。 Now, since the update, it seems to call 现在,自更新以来,它似乎在呼唤
"/bin/bash -c \/bin\/bla\/whatever"
and therefore is not allowed to. 因此不允许。 I tried to change the line in the sudoers file to 我试图将sudoers文件中的行更改为
test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever, /bin/bash -c \/bin\/bla\/whatever
but thats not allowed syntax, so I tried: 但那不允许语法,所以我试过:
test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever, /bin/bash -c \\/bin\\/bla\\/whatever
That's valid syntax but doesn't work either. 这是有效的语法,但也不起作用。
If I use sudo -H -u user /bin/bla/whatever it works fine. 如果我使用sudo -H -u user / bin / bla /无论它工作正常。 Even if I allow /bin/bash in the sudoers file, but that would allow anything..... 即使我在sudoers文件中允许/ bin / bash,但那会允许任何.....
Any ideas? 有任何想法吗?
Erik 埃里克
2 个解决方案
解决方案1
1 2012-06-01 08:40:59
Just checked the sudo man page on my fedora 16 system and it says: 刚刚检查了我的fedora 16系统上的sudo手册页,它说:
-i [command] The -i (simulate initial login) option runs the shell specified by the password database entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option.
So it does not appear to be necessary to specify bash -c in your sudoers command definition. 因此,似乎没有必要在sudoers命令定义中指定bash -c 。
If you call the command as sudo -i /bin/bla/whatever you should need nothing more than the following in your sudoers file: 如果你将命令调用为sudo -i /bin/bla/whatever你在sudoers文件中只需要以下内容:
test ALL=(TEST) NOPASSWD: /bin/bla/whatever
I can reproduce the problem on my fedora 16 system, no changes to the sudoers file I tried had any effect. 我可以在我的fedora 16系统上重现这个问题,我试过的sudoers文件没有任何变化有任何影响。 I cannot find any other configuration required to make this work. 我找不到任何其他配置来完成这项工作。 All I can say is to use '-H -u ...'. 我只能说'-H -u ......'。
解决方案2
1 2014-02-13 21:19:37
Were you running sudo -i -u user /bin/bla/whatever with arguments? 你运行sudo -i -u user /bin/bla/whatever有参数? From man sudoers : 从man sudoers :
A simple file name allows the user to run the command with any arguments he/she wishes.
So once you add in the /bin/bash -c you are now specifying arguments and they must match exactly . 所以一旦你添加/bin/bash -c你现在指定参数,它们必须完全匹配。
Here's an example sudoers line: 这是sudoers行的一个例子:
test ALL=(ALL) NOPASSWD: /bin/bash -c /bin/true, /bin/bash -c /bin/true *, /bin/true *
With that I can do: 我可以这样做:
sudo /bin/true
sudo /bin/true foo
sudo -u /bin/true
sudo -u /bin/true foo
But not sudo true because that becomes bash -c true which does not match bash -c /bin/true . 但不是 sudo true因为那变成了bash -c true ,它与bash -c /bin/true不匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.