[sudo-users] executing with different user environment

Matt Williams matt at williams-tech.net
Sat Mar 16 19:37:38 MDT 2013 

ah, you're right! printenv HOME did show the correct environment (chef) and
not my own. Unfortunately, that leaves me more puzzled as to why knife is
not interpreting it correctly.

To remedy the situation, I started using -i. This worked for simple knife
commands but the ones that require quotes hit a password prompt. I've done
a bit of searching and can't find anything regarding handling quotes inside
sudoers.

The config...

Defaults:%devops env_reset

%devops ALL=(chef) NOPASSWD:/bin/bash -c knife block list
%devops ALL=(chef) NOPASSWD:/bin/bash -c knife client list
%devops ALL=(chef) NOPASSWD:/bin/bash -c knife node list
%devops ALL=(chef) NOPASSWD:/bin/bash -c knife ssh "role\:database" "sudo
chef-client"

Running the commands....

$ test at bastion:~$ sudo -iu chef knife block list
The available chef servers are:
    * production
    * staging [ Currently Selected ]

$ test at bastion:~$ sudo -iu chef knife ssh "role:database" "sudo chef-client"
[sudo] password for test:



Thanks again!



On Fri, Mar 15, 2013 at 4:20 PM, Todd C. Miller
<Todd.Miller at courtesan.com>wrote:

> On Fri, 15 Mar 2013 12:42:13 -0400, Matt Williams wrote:
>
> > I would like to allow all members in the %devops group to execute certain
> > knife commands as the chef user. I've dropped a sudo file in the
> > /etc/sudoers.d/chef that contains the following:
> >
> > Defaults:%devops env_reset
> >
> > %devops ALL=(chef) NOPASSWD:/usr/bin/knife
>
> It looks like that should work.  I did a quick test with sudo 1.7.2p1
> and as long as I use the -H flag $HOME gets set appropriately.
>
> > Then, as a user that is a member of the devops group, I get this:
> >
> > $ sudo -H -u chef knife node list
> > WARNING: No knife configuration file found
> >
> > Note that knife will look in $HOME/.chef/knife.rb before looking in
> > /etc/chef so it needs to be hitting /home/chef/.chef/knife.rb. I then
> > execute this as a sanity check:
> >
> > $ sudo -H -u chef echo $HOME  #my user is also a member of %sysadmin
> group,
> > which has ALL=(ALL)
> > /home/mattw
>
> $HOME may be expanded by your shell before sudo is run.  A better
> test would be:
>
> $ sudo -H -u chef printenv HOME
>
>  - todd
>

More information about the sudo-users mailing list