How to run the bash command as a system user without giving that user the right to run commands as any user

故事扮演 提交于 2019-12-12 04:36:29

问题


I have written a python script which includes this line:

response = subprocess.check_output(['/usr/bin/sudo /bin/su - backup -c "/usr/bin/ssh -q -o StrictHostKeyChecking=no %s bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\nmvn --version|grep -i Apache|awk \'{print $3}\'|tr -d \'\n\'\nEOF' % i], shell=True)

This is in a for loop that goes through a list of hostnames and each one I want to check the result of the command on it. This works fine when I run it myself, however, this script is to be run by a system user (shinken - a nagios fork) and at that point I hit an issue.

shinken ALL=(ALL) NOPASSWD: ALL

However, I wanted to restrict the user to only allow it to run as the backup user:

shinken ALL=(backup) NOPASSWD: ALL

But when I run the script I get:

sudo: no tty present and no askpass program specified

I have read around this and tried a few things to fix it. I tried adding -t to my ssh command, but that didn't help. I believe I should be able to run the command with something similar to:

response = subprocess.check_output(['/usr/bin/sudo -u backup """ "/usr/bin/ssh -q -o StrictHostKeyChecking=no %s bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\njava -version|grep -i version|awk \'{print $3}\'|tr -d \'\n\'\nEOF""" ' % i], shell=True)

But then I get this response:

subprocess.CalledProcessError: Command '['/usr/bin/sudo -u backup """ "/usr/bin/ssh -q -o StrictHostKeyChecking=no bamboo-agent-01 bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\njava -version|grep -i version|awk \'{print $3}\'|tr -d \'\n\'\nEOF""" ']' returned non-zero exit status 1

If I run the command manually I get:

sudo:  /usr/bin/ssh: command not found

Which is strange because that's where it lives.... I've no idea if what I'm trying is even possible. Thanks for any suggestions!


回答1:


As for sudo:

shinken ALL=(backup) NOPASSWD: ALL

...only works when you switch directly from shinken to backup. You aren't doing that here. sudo su - backup is telling sudo to switch to root, and to run the command su - backup as root. Obviously, then, if you're going to use sudo su (which I've advised against elsewhere), you need your /etc/sudoers configuration to support that.

Because your /etc/sudoers isn't allowing direct the switch to root you're requesting, it's trying to prompt for a password, which requires a TTY, which is thus causing a failure.

Below, I'm rewriting the script to switch directly from shinken to backup, without going through root and running su:


As for the script:

import subprocess

remote_script='''
PATH=/usr/local/bin:$PATH
mvn --version 2>&1 | awk '/Apache/ { print $3 }' 
'''

def maven_version_for_host(hostname):

    # storing the command lets us pass it when constructing a CalledProcessError later
    # could move it directly into the Popen creation if you don't need that.
    cmd = [
        'sudo', '-u', 'backup', '-i', '--',
        'ssh', '-q', '-o', 'StrictHostKeyChecking=no', str(hostname),
        'bash -s' # arguments in remote-command position to ssh all get concatenated
                  # together, so passing them as one command aids clarity.
    ]
    proc = subprocess.Popen(cmd,
        stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    response, error_string = proc.communicate(remote_script)
    if proc.returncode != 0:
        raise subprocess.CalledProcessError(proc.returncode, cmd, error_string)
    return response.split('\n', 1)[0]


来源:https://stackoverflow.com/questions/41870682/how-to-run-the-bash-command-as-a-system-user-without-giving-that-user-the-right

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!