[sudo-users] Running scripts in a networked environment using sudo

Wed Aug 2 17:16:46 EDT 2006

Hi GG,

I was trying to do the same thing and I think I worked it out on  
solaris 9.  Hopefully this will apply directly to your question.

I wanted a script which would take a file of commands used to  
'deploy' software to various systems because certain tasks have to be  
performed for each file to put it in production.  In so doing, I  
needed to inherit the environment of the user I'm using `sudo -u  
username` with.  I couldn't understand why -i wasn't working and I  
figured out that it needs input.  I didn't have a file to redirect  
in, so here's an example of what I did:

ssh deploymentmachine.com -l root "echo cd\ path\/to\/development\/ 
file\ \\\&\\\&\ cvs\ update\ file\ \\\&\\\&\ mydeploycommand\ file |  
sudo -u builduser -i"

So basically, I'm ssh'ing as root to the server on which I want to  
deploy my software.  (I have a mount, but I'm not hooked into NIS, so  
I must ssh over to assume the user's, e.g. "builduser", identity and  
environment.)  I then echo the commands I want to execute and pipe  
them to my sudo command using the -u and -i options.

Of course, this asks for my password, so when I execute this command  
in my script, I append " >& /dev/tty" to the end of the command so I  
know what's going on (i.e. I see the password request).  I was  
testing it wrapped inside a perl -e one-liner, so you'll note I used  
double quotes.  Eventually, I'll fix it so I only need to enter a  
password(s) once per script run and I'll use single quotes and double- 
quotes for the echo line.

I'm certain there's probably a cleaner/better way to do this, but  
given my paltry knowledge of system commands, this is the best I can  
do and it works for me.  Please feel free to submit a better solution.

Rob

> Hello All,
>
> Here's my dilema.  I work in a NIS environment where I have a unique
> userid(eg jdoe).  The production servers have local users for each
> production app.  As you would expect each production user(eg prdusr)
> has specific set of environment variables(a significant #).  The local
> production user's accounts are locked out.  The only way to access the
> userid's are to log in as individual users and further "sudo su -
> prdusr" in as the production users, at which point I am user "prdusr"
> and I have full access to the production environment and all its
> environment variables.
>
> Here's my goal:
> Setup a single server which is in the NIS environment.  All my
> monitoring scripts will ssh into the various production servers as the
> network user(jdoe) and further run various scripts as user "prdusr"
> inheriting the various environment variables.
>
> I can write a script which can force the script to inherit various
> defined environment variables, but I would like to avoid it if
> possible, as there are a number of different production servers with
> uniquely different variables in each box.  I can also run scripts in
> each production servers as user "prdusr" but it becomes hairy to
> manage numerous cron jobs and scripts.
>
> The newer version of sudo has a -i switch which from what I read
> allows me inherit user environment variables, but I am not able to get
> it to work successfully as of now.  Anybody have any suggestions or
> thoughts to make this happen.
>
> Thanks in advance.
>
> GG