[sudo-users] Running scripts in a networked environment using sudo
Robert William Leach
robleach at lanl.gov
Wed Aug 2 17:16:46 EDT 2006
I was trying to do the same thing and I think I worked it out on
solaris 9. Hopefully this will apply directly to your question.
I wanted a script which would take a file of commands used to
'deploy' software to various systems because certain tasks have to be
performed for each file to put it in production. In so doing, I
needed to inherit the environment of the user I'm using `sudo -u
username` with. I couldn't understand why -i wasn't working and I
figured out that it needs input. I didn't have a file to redirect
in, so here's an example of what I did:
ssh deploymentmachine.com -l root "echo cd\ path\/to\/development\/
file\ \\\&\\\&\ cvs\ update\ file\ \\\&\\\&\ mydeploycommand\ file |
sudo -u builduser -i"
So basically, I'm ssh'ing as root to the server on which I want to
deploy my software. (I have a mount, but I'm not hooked into NIS, so
I must ssh over to assume the user's, e.g. "builduser", identity and
environment.) I then echo the commands I want to execute and pipe
them to my sudo command using the -u and -i options.
Of course, this asks for my password, so when I execute this command
in my script, I append " >& /dev/tty" to the end of the command so I
know what's going on (i.e. I see the password request). I was
testing it wrapped inside a perl -e one-liner, so you'll note I used
double quotes. Eventually, I'll fix it so I only need to enter a
password(s) once per script run and I'll use single quotes and double-
quotes for the echo line.
I'm certain there's probably a cleaner/better way to do this, but
given my paltry knowledge of system commands, this is the best I can
do and it works for me. Please feel free to submit a better solution.
> Hello All,
> Here's my dilema. I work in a NIS environment where I have a unique
> userid(eg jdoe). The production servers have local users for each
> production app. As you would expect each production user(eg prdusr)
> has specific set of environment variables(a significant #). The local
> production user's accounts are locked out. The only way to access the
> userid's are to log in as individual users and further "sudo su -
> prdusr" in as the production users, at which point I am user "prdusr"
> and I have full access to the production environment and all its
> environment variables.
> Here's my goal:
> Setup a single server which is in the NIS environment. All my
> monitoring scripts will ssh into the various production servers as the
> network user(jdoe) and further run various scripts as user "prdusr"
> inheriting the various environment variables.
> I can write a script which can force the script to inherit various
> defined environment variables, but I would like to avoid it if
> possible, as there are a number of different production servers with
> uniquely different variables in each box. I can also run scripts in
> each production servers as user "prdusr" but it becomes hairy to
> manage numerous cron jobs and scripts.
> The newer version of sudo has a -i switch which from what I read
> allows me inherit user environment variables, but I am not able to get
> it to work successfully as of now. Anybody have any suggestions or
> thoughts to make this happen.
> Thanks in advance.
More information about the sudo-users