Hey Pavel,

Thanks for the reply! It's not exactly that I want to allow any command to
be run as app_user. The command I actually want to run is very long, and
complicated and wouldn't mean much in this context, so I simplified my
example. The problem is that *any command *I run will fail, wether or not
they already have the permissions to run said command.

The exact command that I want to run *will work* if I `sudo su - app_user`
and then run the command in the new shell for `app_user`.  It *wont work* if
I try to run `sudo su - app_user -c <command>`. So the user has the
permissions to run the command. it just wont work with the `-c` option.

So thats where I'm stuck. From my perspective they should have all the
permissions that they need. They have sudo privileges to `sudo su -
app_user -c` as well as the specific command that I want to be run.



On Wed, Aug 31, 2016 at 4:51 AM, Pavel Březina <pbrez...@redhat.com> wrote:

> On 08/30/2016 05:08 PM, Ryan Whalen wrote:
>> Hi All,
>> Im having an issue getting a command to run properly, and the issue
>> seems to be with Freeipa sudo permissions. Specifically 'sudo su -
>> app_user -c "<command>"' prompts for a password when run.
>> However if I 'sudo su - app_user' and then run the '<command>' as
>> app_user, it works fine.
>> example:
>> ```
>> $ ssh r...@production-server.pp
>> Last login: Mon Aug 29 21:36:14 2016 from
>> ryan$ sudo su - app_user -c "df"
>> [sudo] password for ryan:
>> ^C
>> ryan$ sudo su - app_user
>> app_user$ df
>> Filesystem           1K-blocks     Used Available Use% Mounted on
>> /dev/sda3             14845784  6667296   7417708  48% /
>> tmpfs                  1474228        0   1474228   0% /dev/shm
>> /dev/sda1               487652    81221    380831  18% /boot
>>                       287687168 69111040 218576128  25% /var/app
>>                        16377088  3728640  11809792  24% /home/ipa
>> ap_user$
>> ```
>> I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
>> app_user -c` but I cant get the `-c` to work in a single command. I also
>> tried giving sudo permission to `/bin/bash` in case the `-c` needed it
>> to create a new shell for some reason, but it didn't work.
>> Does anyone have any thoughts on what permissions I might be missing to
>> allow the user to run `sudo su - app_user -c <command>`?
>> Thanks,
>> Ryan
> Try to allow /bin/su - app_user -c '*'
> If I understand you correctly, you want to allow user to run any command
> as app_user. You can do it also by creating a rule that allows to run any
> command and run it as app_user.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to