[sudo-users] Punching in a secure_path w/o Touching Global secure_path
Jepeway, Chris
Chris.Jepeway at JTV.com
Tue Mar 13 14:39:06 MDT 2018
I'm using a config management tool to set up sudoers. That's mostly a detail,
but it kinda explains a set of constraints I'll get to.
What I'd like to do is something like this, for various commands
that get installed outside the normal places, in /opt, say:
Cmnd_Alias WHACK=/opt/whack/bin
Defaults!WHACK secure_path=/bin:/usr/bin:/opt/whack/bin
This, so when I type
$ sudo whack status
I'll run the /opt/whack/bin/whack binary with an argument of
"status," and sudo won't complain
sudo: whack: command not found
because of a global secure_path setting that didn't know to include /opt/whack/bin.
This approach doesn't work. Am I missing how to use Defaults! or otherwise goofing up?
I can get close if the command needs to run as a user that's not root,
by using
Runas_Alias WHACKU = whack
Defaults>WHACKU secure_path=/bin:/usr/bin:/opt/whack/bin
but I run into trouble with that technique if the binaries for
the whack package need to run as root, since that'll override
any prior secure_path setting.
As for those constraints...I could just set the global secure_path
to include /opt/whack/bin, but that gets tricky. I'm trying
to have a general sudoers file that gets provisioned, and then
put the per-package overrides for who needs to run what into
/etc/sudoers.d. I'd like to keep the concerns of "this box
needs sudo" separate from "this box runs this package, and
admins will want to run its commands as root," while not
forcing something like
$ sudo /opt/whack/bin/whack status
on our admins.
Thoughts? Help?
Chris.
(Howdy, Todd. Longtime...)
More information about the sudo-users
mailing list