3

Background: My developers are installing an informatica product in a RHEL8.3 server. The services are running using a user called infa_admin, and this user is already in the wheel group. This user is able to run all administrative commands using sudo without prompting for password.

They have a requirement to disable SELinux, which is not allowed based on our org policies.

The workaround they are suggesting is to have the user infa_admin to be able to stop/start/restart certain services without using sudo.

Assuming the service is called nginx, currently they can do the following:

sudo systemctl restart nginx

They need to do the following:

systemctl restart ngnix --> currently this will prompt for password, which is not what they want.

The actual services they need to be able to manage are : discoverypostgres , zk and solr

Based on my understanding, this is not possible. Is there anyway to do this ?

screenslaver
  • 31
  • Are you in fear you are giving them too much privileges when allowing to use sudo? You can set it up such as only specific commands to be run with sudo is allowed for some users, not just the any command. – Nikita Kipriyanov Oct 07 '21 at 05:59
  • no. They already have full access with sudo. This requirement came from the product support team to be able to run without sudo – screenslaver Oct 07 '21 at 06:04
  • 1
    That's very strange requirement. Really. Is there any adequate reasoning behind it? Setting up shell aliases is an option? – Nikita Kipriyanov Oct 07 '21 at 06:06
  • I am going to talk to them soon if they have any reason behind that. For now i setup alias to systemctl as sudo systemctl. – screenslaver Oct 07 '21 at 06:16
  • @NikitaKipriyanov: purely conjectural, it could be a "we are unwilling to touch tooling scripts provided by the vendor" (because they update/we want to point the finger of blame at the vendor when something goes wrong/…) Probably, a "proper" solution would involve the vendor writing and shipping a SELinux policy for the software in question, but good luck with that. – Ulrich Schwarz Oct 07 '21 at 06:59
  • If you don't want to use sudo you can try relying on polkit: Here's an answer that creates a polkit rule to perform this: https://unix.stackexchange.com/questions/504806/systemd-start-as-unprivileged-user-in-a-group/557634#557634 – Stewart Nov 26 '21 at 14:42

1 Answers1

0

They need to do the following: systemctl restart nginx --> currently this will prompt for password, which is not what they want.

Is it a solution just to allow to do certain commands with sudo without prompting password?

sudo visudo

This will open editor for sudoers file. Add following line:

%wheel ALL=NOPASSWD: /usr/bin/systemctl restart nginx

This will allow users of a group wheel to do systemctl restart nginx without prompting password. You can create separate group if you more rights granularity.

yaromir
  • 144
  • 4