1

Summary

Is there a non-interactive (unattended, not requiring a ncurses-based control terminal) method to verify that sudo is configured properly to allow passwordless sudo'ing from one non-root user account to another?

Why

I have a scenario where some processing needs to execute on a different user account, but the execution needs to occur without any user intervention since there will not be a control terminal available (e.g., from a background process).

Details

This is running under Linux (specifically RHEL 5 or RHEL 6, or the rough equivalent CentOS machines). No other operating systems, or Linux variants, are relevant for this question.

For sake of discussion, assume there are two user accounts involved: userA and userB.

I need a method to verify that it is possible to do a passwordless sudo from userA to userB, all from the userB account.

The commands being executed in the userB account inside that sudo call will be for things such as running user-space programs (e.g., not running system administration commands such as fdisk).

The key constraint here is that the method should be able to be done from the userB account, not the userA account, in a background process without a control terminal.

That method should be possible to implement in a Bash script by using sed/awk/etc. commands to inspect files.

The system administrator should not have to be involved for this method (e.g., no setuid scripts required).

Is that possible? If so, how?

Research

Consider that the sudoers file may be difficult to parse. Looking at a similar question in How to run a specific program as root without a password prompt? it is not clear how a non-root script can inspect the contents of the sudoers file without using some interactive mechanism such as visudo which will require a ncurses enabled terminal which is not an option.

Also https://unix.stackexchange.com/a/260739/21372 indicates the proper syntax for passwordless sudo from userA to userB, but my question here probably just boils down to how to see that configuration without running a ncurses-constrained application such as visudo, but I'm not sure it is that simple.

bgoodr
  • 197

2 Answers2

2

You cannot do this by parsing sudo configuration files because the sudo configuration is only readable by root. Even if you could read the sudo configuration, it's difficult to parse it reliably (especially to handle non-local information such as LDAP databases), and it doesn't tell the whole story (e.g. permission could be conferred via a group).

The only realistic check is to run sudo as user A. Since you need to do this check from a script running as user B, you'll need a way for user B to run the check as user A. Either write a small program (not a script that is setuid A, or give user B the permission to run the check as user A via sudo.

If you can't get the administrator involved to set up a sudo rule allowing user B to run the check as A, then a setuid program is the only solution. This program would invoke sudo -u userB -b true to check that A is allowed to run true as user B. Here's a C source code for this program (warning: untested!):

#include <unistd.h>
int main(void) {
    execl("/usr/bin/sudo", "sudo", "-u", "userB", "-b", "/bin/true", (char*)NULL);
    return 126;
}

Compile it and make the resulting executable setuid A (it must be owned by A, then run chmod 4755 /path/to/executable).

Note that this solution is not complete: it will only work if A is allowed to run commands as B by virtue of being user A, not if it gets this privilege by virtue of belonging to a group. If you need to verify group membership, you'll have to run sg as user A to gain this group membership, then make it run sudo.

Gilles 'SO- stop being evil'
  • 829,060
  • Thanks for the detail and the small example C program that should set to setuid. Using setuid binary programs is not an option in my scenario since I just want a user-space way to check that it is possible. But the fact that this cannot be done IS a suitable answer, and will save me lots of time beating my head against the wall in failed attempts. – bgoodr Jul 01 '17 at 19:16
1

You have two distinct issues you bring up in this question.

  1. How to allow/verify sudo privileges for userA
    Link to Sudo project homepage

  2. How to review the sudo settings as userB (not root)

#1 is doable by diving into documentation for /etc/sudoers and related sudo files and command . I have no experience limiting commands by one user as another non-root user so I can't really say, except I know anecdotally that it can be done.

#2 is entirely an issue with permissions of the configurations for sudo, such as /etc/sudoers /etc/sudo.conf /etc/sudoers.d/* etc. On my systems those files are mode -r--r-----. root root Your userB would not be able to read them without:

  1. being a member of the root group
  2. petitioning your system administrator to change those permissions.

It is as simple as that; without one of these two things happening, userB will not be able to read or parse the file.

0xSheepdog
  • 2,750