Sudo command in perl/eBox/Zentyal

Question

I installed Zentyal 4.0 and looking its scripts how it is functioning.

I saw a perl function to run the shell commands in machine like below

//Ebox::Sudo:root

...

/usr/bin/sudo -p sudo: {commands to perform}

Can anyone explain what it is meant sudo in the shell?

Thanks

Answer 1

The -p according to documentation is for (Use a custom password prompt with optional escape sequences) zentyal used the /usr/bin/sudo -p sudo: just for purpose of testing

Readonly::Scalar our $SUDO_PATH   => '/usr/bin/sudo -p sudo:'; # our declaration eases testing

Because if you change to

/usr/bin/sudo -p anything:

The functionality of sudo zentyal is normal.

In you comments you wanted know why zentyal can run any shell system command without prompting the password, is because when you installed zentyal you have to set a user to sudo group or admin (this is similar to sudo group)

Members of the admin group may gain root privileges %admin ALL=(ALL) ALL

The last ALL allowed to run any command

Case related: https://forum.zentyal.org/index.php/topic,34663.0.html

Answer 2

This answer gives you an answer to both the sudo and -p sudo: in your command.

sudo itself is a privilege command allowing users to execute commands, if allowed in the sudoers file, which generally is not allowed by normal users.

The sudoers file can determine exactly which commands a user is allowed to run. Typically these commands can be run by either setting up the sudoers file by either prompting for the user password each time a command is being run, or by adding the NOPASSWD option which allows a user to run sudo commands without having to retype their password.

Example: a normal user cannot run dmidecode as you will get a access denied.

[user@host ~]$ dmidecode
# dmidecode 3.0
Scanning /dev/mem for entry point.
/dev/mem: Permission denied

but if allowed in the sudoers file, you can allow the user to run the command as a super user.

[user@host ~]$ sudo dmidecode

Here is an example of a sudoers file entry allowing user to only run some dmidecode and sar using sudo, without prompting for password.

user123 ALL=(ALL) NOPASSWD: /usr/sbin/dmidecode, /usr/bin/sar

for the -p sudo: part.

The -p (prompt) option allows you to override the default password prompt and use a custom one. The following percent ('%') escapes are supported by the sudoers.

In other words in this case it will replace the default prompt for sudo password with the sudo: text.

So as an example, running a command like df -h

[user@phost ~]$ sudo df -h
[sudo] password for host:

but when running with -p

[user@phost ~]$ sudo -p sudo: df -h
sudo:

TIP! whenever you need to edit a sudoers file, you need to ensure you never do vi sudoers as it will change file ownership. Always edit a sudoers file by running the visudo command as root .