proper configuration of visudo NOPASSWD for bash backup script
Solution 1
I was successful in using the following examples as you've described. Sample scripts:
top.bash$ cat /tmp/top.bash
#!/bin/bash
echo "running $0"
sudo -v
whoami
sudo /tmp/bott.bash
bott.bash
$ more /tmp/bott.bash
#!/bin/bash
echo "running $0"
whoami
Now with the following modification to sudo
:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
sam ALL=(ALL) NOPASSWD:/tmp/top.bash
Now as user sam:
$ sudo /tmp/top.bash
running /tmp/top.bash
root
running /tmp/bott.bash
root
What about running top.bash without sudo?
If I alter the /etc/sudoers
file like so:
sam ALL=(ALL) NOPASSWD:/tmp/top.bash,/tmp/bott.bash
And then just run /tmp/top.bash
as user saml
:
$ /tmp/top.bash
running /tmp/top.bash
sam
running /tmp/bott.bash
root
I get the above. Which is what I would expect.
Solution 2
If you use Ubuntu, you should add your line at the end of /etc/sudoers
, so no others lines can override your entry.
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
If your entry goes before %sudo
entry, it will override your entry, because in Ubuntu, you are in sudo group
:
$ id
uid=1000(cuonglm) gid=1000(cuonglm) groups=1000(cuonglm),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare)
And you must allow both your wrapper script and actual script (In your case, it's /usr/local/bin/backup
and /opt/storeBackup/bin/storeBackup.pl
)
Related videos on Youtube
Jarek
You may be interested in the story of SE moderator Monica Cellio and how she was unfairly treated by the corporate management of this site. More info here. An update is available. Let's hope we can cultivate a more fair environment for content creators and moderators going forward.
Updated on September 18, 2022Comments
-
Jarek over 1 year
The abstract question is:
If script
x
calls programy
, do I need a NOPASSWD entry in /etc/sudoers forx
,y
or bothx
&y
? (And canx
then callsudo -v
without a password?)Details:
I'm trying to figure out what should go into the /etc/sudoers file to allow a user on Ubuntu (i.e., user ID 1000 who has sudo privileges) to execute a pre-configured full backup without entering a password.
My backup script is:
/usr/local/bin/backup
(See below for script.)The actual backup program called by my script is
/opt/storeBackup/bin/storeBackup.pl
(See http://storebackup.org/)I tried several approaches with
visudo
but regardless of what I tried, I was still prompted for the password when running the script.I expected that adding a final line to /etc/sudoers (using visudo) like the following would work:
myuser ALL=(ALL) NOPASSWORD:/usr/local/bin/backup
That didn't work. Neither did this:
myuser ALL=(ALL) NOPASSWORD:/usr/local/bin/backup, /opt/storeBackup/bin/storeBackup.pl
Is the problem due to my script calling
sudo -v
near the beginning? Or is something else the problem?To execute the following script, I expect the user to open a terminal and type
backup
. I want it to be that simple and I don't want them to be prompted for a password at all.#!/bin/bash sudo -v # Keep-alive: update existing sudo time stamp if set, otherwise do nothing. while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null & #do a bunch of stuff that could take a while... #finally, do backup without asking for password: sudo /opt/storeBackup/bin/storeBackup.pl -f backup.conf
Thanks
-
jordanm about 10 yearsHave you tried removing everything except for the last line? You haven't given your user permission to run
true
with no password and those lines are completely unnecessary anyways.
-
-
Jarek about 10 yearsThanks. This all works for me, except for
sudo -v
in top.bash (and the while loop in my original script). Maybe I can find a way around using those... -
Jarek about 10 yearsI ran /tmp/top.bash without sudo and as my regular user; that's how my real script gets called. It worked. It even works if I add in the while true loop. But in my real script it does not work unless I remove
sudo -v
and thewhile true
loop. However, I see no differences in the code at all. Very strange... -
slm about 10 years@MountainX - see updates.
-
Jarek about 10 yearsThanks. Yes, I had to do the same alteration of /etc/sudoers. So our results are the same for the test script. But my actual script chokes on
sudo -v
(as in top.bash) and I cannot find any differences in the code (or file permissions). -
slm about 10 years@MountainX - is apparmor enabled? I'm wondering if it's interfering w/ the locations of scripts even though
sudo
is allowing it. -
Jarek about 10 yearsI am not using apparmor.
-
slm about 10 years@MountainX - To try and dredge up more info I'd try running it like this:
strace -s 2000 -o sudo.log /tmp/top.bash
.