Re: [Freeipa-users] Help with sudo permission for a command
Hey Pavel, Thanks for the reply! It's not exactly that I want to allow any command to be run as app_user. The command I actually want to run is very long, and complicated and wouldn't mean much in this context, so I simplified my example. The problem is that *any command *I run will fail, wether or not they already have the permissions to run said command. The exact command that I want to run *will work* if I `sudo su - app_user` and then run the command in the new shell for `app_user`. It *wont work* if I try to run `sudo su - app_user -c `. So the user has the permissions to run the command. it just wont work with the `-c` option. So thats where I'm stuck. From my perspective they should have all the permissions that they need. They have sudo privileges to `sudo su - app_user -c` as well as the specific command that I want to be run. Thanks Ryan On Wed, Aug 31, 2016 at 4:51 AM, Pavel Březina wrote: > On 08/30/2016 05:08 PM, Ryan Whalen wrote: > >> Hi All, >> >> Im having an issue getting a command to run properly, and the issue >> seems to be with Freeipa sudo permissions. Specifically 'sudo su - >> app_user -c ""' prompts for a password when run. >> >> However if I 'sudo su - app_user' and then run the '' as >> app_user, it works fine. >> >> example: >> ``` >> $ ssh r...@production-server.pp >> Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15 >> ryan$ sudo su - app_user -c "df" >> [sudo] password for ryan: >> ^C >> ryan$ sudo su - app_user >> app_user$ df >> Filesystem 1K-blocks Used Available Use% Mounted on >> /dev/sda3 14845784 6667296 7417708 48% / >> tmpfs 14742280 1474228 0% /dev/shm >> /dev/sda1 48765281221380831 18% /boot >> 10.51.0.34:/srv/nfs/app >> 287687168 69111040 218576128 25% /var/app >> 10.51.0.54:/srv/nfs/ipa >>16377088 3728640 11809792 24% /home/ipa >> ap_user$ >> ``` >> >> I have a sudo rule that allows `/bin/su - app_user` and `/bin/su - >> app_user -c` but I cant get the `-c` to work in a single command. I also >> tried giving sudo permission to `/bin/bash` in case the `-c` needed it >> to create a new shell for some reason, but it didn't work. >> >> Does anyone have any thoughts on what permissions I might be missing to >> allow the user to run `sudo su - app_user -c `? >> >> Thanks, >> Ryan >> >> >> > Try to allow /bin/su - app_user -c '*' > > If I understand you correctly, you want to allow user to run any command > as app_user. You can do it also by creating a rule that allows to run any > command and run it as app_user. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help with sudo permission for a command
On 08/30/2016 05:08 PM, Ryan Whalen wrote: Hi All, Im having an issue getting a command to run properly, and the issue seems to be with Freeipa sudo permissions. Specifically 'sudo su - app_user -c ""' prompts for a password when run. However if I 'sudo su - app_user' and then run the '' as app_user, it works fine. example: ``` $ ssh r...@production-server.pp Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15 ryan$ sudo su - app_user -c "df" [sudo] password for ryan: ^C ryan$ sudo su - app_user app_user$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda3 14845784 6667296 7417708 48% / tmpfs 14742280 1474228 0% /dev/shm /dev/sda1 48765281221380831 18% /boot 10.51.0.34:/srv/nfs/app 287687168 69111040 218576128 25% /var/app 10.51.0.54:/srv/nfs/ipa 16377088 3728640 11809792 24% /home/ipa ap_user$ ``` I have a sudo rule that allows `/bin/su - app_user` and `/bin/su - app_user -c` but I cant get the `-c` to work in a single command. I also tried giving sudo permission to `/bin/bash` in case the `-c` needed it to create a new shell for some reason, but it didn't work. Does anyone have any thoughts on what permissions I might be missing to allow the user to run `sudo su - app_user -c `? Thanks, Ryan Try to allow /bin/su - app_user -c '*' If I understand you correctly, you want to allow user to run any command as app_user. You can do it also by creating a rule that allows to run any command and run it as app_user. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Help with sudo permission for a command
Hi All, Im having an issue getting a command to run properly, and the issue seems to be with Freeipa sudo permissions. Specifically 'sudo su - app_user -c ""' prompts for a password when run. However if I 'sudo su - app_user' and then run the '' as app_user, it works fine. example: ``` $ ssh r...@production-server.pp Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15 ryan$ sudo su - app_user -c "df" [sudo] password for ryan: ^C ryan$ sudo su - app_user app_user$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda3 14845784 6667296 7417708 48% / tmpfs 14742280 1474228 0% /dev/shm /dev/sda1 48765281221380831 18% /boot 10.51.0.34:/srv/nfs/app 287687168 69111040 218576128 25% /var/app 10.51.0.54:/srv/nfs/ipa 16377088 3728640 11809792 24% /home/ipa ap_user$ ``` I have a sudo rule that allows `/bin/su - app_user` and `/bin/su - app_user -c` but I cant get the `-c` to work in a single command. I also tried giving sudo permission to `/bin/bash` in case the `-c` needed it to create a new shell for some reason, but it didn't work. Does anyone have any thoughts on what permissions I might be missing to allow the user to run `sudo su - app_user -c `? Thanks, Ryan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
