[sudo-users] Same U/N - different UID's -- trying to use sudoinscripts across subnets.

Peter Farrell peter.d.farrell at gmail.com
Tue Dec 19 16:47:55 EST 2006


On 19/12/06, Galen Johnson <Galen.Johnson at sas.com> wrote:
> I wouldn't have thought so.  I'm going to assume that you are using /etc/passwd.  On the server that doesn't work (assume SERVER-B), does 'grep 731 /etc/passwd' return more than one result?
>
> What happens when you run 'sudo -u nagios amcheck' on this server?

Two servers:
A = nagios server
B = amanda server

>From A to B - always fails (it prompts user nagios for a password)
On B, as user nagios - it works a treat.
I run:
# su - nagios
$nagios> sudo -u amanda amcheck daily
and it's happy days and sunshine...
When the user nagios - runs the python script from the Nagios server
on the Amanda server - it's not so happy... and don't even ask about
the sunshine... (I'm in Cardiff, Wales)

>From the python: amcheck.py
...
# Run amcheck
handle, logname = tempfile.mkstemp()

result = os.system("sudo -u amanda /usr/local/amanda/sbin/amcheck %s >
%s 2> %s" %
    (configuration, logname, logname))
...

This script is running as user nagios.
So - for this line to work: 'sudo -u amanda /usr/local/amanda/sbin/amcheck'
I set up sudoers for the user nagios - on the server where the script
runs (AMANDA server) thinking this is what I needed... but when I run
w/ a trace from the originating machine (NAGIOS server), the script
always prompts for a password.

I think I'm just going to blow the whole thing out and write a simpler
script in Bash that uses ssh to execute the command...

Thanks for your input.
-Peter




> =G=
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Peter Farrell
> Sent: Tuesday, December 19, 2006 2:35 PM
> To: sudo-users at sudo.ws
> Subject: Re: [sudo-users] Same U/N - different UID's -- trying to use sudoinscripts across subnets.
>
> On 19/12/06, Galen Johnson <Galen.Johnson at sas.com> wrote:
> > Does the nagios user share a numeric ID on the server that prompts you?  Unix doesn't care about the name so much as the numeric ID associated with it.
> >
>
> The nagios users on both servers have different UIDs.
> So: SERVER-A::nagios::501 >>> SERVER-B::nagios::731 sudo amcheck [FAIL]
>
> They'll have to have the same UID's for this to work right?
>
> -Peter
>
>
> > As for the NOPASSWD on a specific command, you should be able to use the full path to amcheck.  I generally prefer to use command aliasesso as an example:
> >
> > Runas_Alias     AMUSER=amanda
> > Command_Alias   AMANDA=/path/to/amcheck
> >
> > nagios ALL=NOPASSWD:(AMUSER)AMANDA
> >
> > Unless you need amcheck to run as root, substitute (root) for (AMUSER).
> >
> > =G=
> >
> > -----Original Message-----
> > From: sudo-users-bounces at courtesan.com
> > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Peter Farrell
> > Sent: Tuesday, December 19, 2006 10:53 AM
> > To: sudo-users at sudo.ws
> > Subject: [sudo-users] Same U/N - different UID's -- trying to use sudo inscripts across subnets.
> >
> > Hi.
> >
> > I'm trying to get my nagios user to run an AMANDA 'amcheck' command via a python check script.
> >
> > Works fine on the backup server.
> > Will not work across the network. (It always prompts for the password)
> >
> > The only difference is that the usernames are the same (nagios) but their UID's (calling sudo) on each server are different.
> >
> > I used this on the target server:
> > nagios ALL=NOPASSWD:ALL
> >
> > *couldn't figure out how to use 'NOPASSWD' and a specific command (in
> > this case 'amcheck' - didn't know if because it is an SUID file that
> > that would pose a problem.)
> >
> > ================
> > all FC4 / sudo-1.6.8p8-2.2
> > ================
> >
> > My question to the list is two-fold:
> >
> > 1. Am I correct in the reason that it won't work?
> > 2. Is there a work-around? (Aside from changing the UID's on both
> > servers to match?)
> >
> > -thank you.
> >
> > -Peter
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information,
> > options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



More information about the sudo-users mailing list