Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Editing sudoers with a script

Posted on 2011-03-13
4
Medium Priority
?
975 Views
1 Endorsement
Last Modified: 2013-12-04
Hi folks,

I'm creating a bash script that will prepare a vanilla ubuntu server for a custom web app. I need to add www-data to the sudoers file for later automation purposes.

I had hoped that the following would work but with hindsight, it's clear that doing it via sudo isn't going to work!

sudo chmod 640 /etc/sudoers
sudo echo "www-data ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
sudo chmod 440 /etc/sudoers

Can anyone suggest a way for me to automate the editing of sudoers? The less I need the user to perform manually, the better.

As a second request, can anyone suggest how to tighten the sudo entry for my needs? I have a perl script that is doing "sudo service myapp stop" so all www-data really needs is the ability to start and stop a single service.

Thanks,
Sean
1
Comment
Question by:srodden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Pieter Jordaan earned 750 total points
ID: 35126642
Hi

The correct way to do sudoers, is to give permissions to a group, and then add users to the permission group.
Or add multiple permissions to the same user.

Look at the example section here: http://linux.die.net/man/5/sudoers

I also wouldn't use the apache user for that.
Rather create another user called wwwadmin, and add it to the www-data group.
Use that user to stop and start apache.

Keep in mind that all permissions you give the apache user, can be exploited using the website.

Use visudo to open the sudoers editor.

Uncomment the "ALL=(ALL) ALL" line, and add the following to the end of the file.
Also change "servername" to your server hostname, and make sure the paths are correct for your OS.

wwwadmin servername=/etc/init.d/apache stop, /etc/init.d/apache start, /etc/init.d/apache restart
# this will give the wwwadmin user stop, start and restart access to the /etc/init.d/apache binary.

Your automation question:
If you are skilled in scripting, you can use sed to automate the sudo file editing.
Just remember to reload the file when you are done, or it will not see the changes.

There are some advice here: http://www.linuxquestions.org/questions/programming-9/edit-sudoers-by-script-645094/
sed manual: http://examplenow.com/sed/info

I would rather do it manually.

I hope that helps.
0
 
LVL 10

Assisted Solution

by:pfrancois
pfrancois earned 750 total points
ID: 35126889
I shouldn't add www-data to the sudoers file, but add the user www-data to the admin (or adm?) group, in your /etc/sudoers file.

It is not necessary to chmod /etc/sudoers in your script. Consider adding quotes like:
sudo 'echo "www-data ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers'

Open in new window


It is not clear to me who is about to execute the script you wrote: the main user of the ubuntu server you are preparing? Why don't you create a ubuntu server with www-data as member of the admin/adm group? Under which form are you going to release your server: as an iso file, an Ubuntu package, an appliance running into a virtual machine, etc... ?
0
 
LVL 10

Expert Comment

by:pfrancois
ID: 35126905
Oops, BitFreeze told more or less the same as I did while I was typing my answer.
0
 

Author Closing Comment

by:srodden
ID: 35162394
Thanks guys. I have restricted sudo rights for www-admin to the scripts in question but I couldn't easily find an elegant way to automate it when logged in as a non-root user. They'll just have to do it manually and use the script for the rest. Thanks for your feedback.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
OfficeMate Freezes on login or does not load after login credentials are input.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question