[SOLVED] Automating Package Update Sudoers

BigBrownHawk · 2016-02-15 19:09:47

Hi,

I'm trying to automate an update with a bash script. Is there a way to allow certain commands to be ran without the need of using Sudo? I know theres the sloppy way of doing it by running:

#echo password | sudo poweroff

Something along those lines.

I'd hate to put my password in cleartext...

I run CFEngine and the #cg-agent needs to be ran as sudo to update my packages.
I have a couple of thoughts going into my mind but wanted to see some secure opinions.

Thanks,
BBH

Last edited by BigBrownHawk (2016-02-15 22:26:01)

Horizon_Brave · 2016-02-15 19:32:32

You can try using the 'expect' command syntax. It's a apart of the tcl suite of commands.

Also... I could be wrong, but I know if you provide a root password during install, you don't have sudo installed by default.

Horizon_Brave · 2016-02-15 19:48:24

Actually 'expect' will leave you with a clear text of your password in the file as well... In this case you need to edit your /etc/sudoers file.

Type sudo visudo at the terminal to open the sudoers file

You should see something like... %sudo ALL=(ALL:ALL) ALL

You'll have to add in a line that looks something like this:

<your-username>  ALL=(ALL) NOPASSWD: /home/<your-username>/<yourscriptname>

The script path is the path to your script obviously... This *should* work..but please anyone else chime in if i'm wrong.

damo · 2016-02-15 19:52:23

You can add users + allowed commands to your `/etc/sudoers` file - NB this should be edited with `visudo`

sudo visudo

For example, I have this at the end of my file, to allow me to use apt-get without entering my password:

# Run apt-get update without sudo
damo ALL=(ALL) NOPASSWD: /usr/bin/apt-get

You could also write a policykit localauthority file (.pkla), with a `pkexec` line in it for the commands you want to allow with root privileges.

EDIT ninja'd by H_B. The guy is getting too good

Last edited by damo (2016-02-15 19:53:27)

BigBrownHawk · 2016-02-15 20:55:47

That seems like a good way to go, editing the sudoers file. Is there a file that I need to add the path of command to?

When I run:

#cf-agent --bootstrap my.domain.name
bash: cf-agent: command not found

However when I run with a sudo in front of it, the command gets found properly.

Thanks for the help so far Horizon_Brave and damo!

damo · 2016-02-15 21:03:34

Try the full path for the command - for example:

/usr/bin/cf-agent  [ or wherever it actually is ]

AFAIK you don't need any command arguments, just the command name

BigBrownHawk · 2016-02-15 21:21:36

Hey damo,

Here's what my code looks like:

warhammer ALL=(ALL) NOPASSWD: /var/cfengine/bin/cf-agent

I placed the warhammer user line right under:

%sudo ALL=(ALL:ALL) ALL

IDK if that makes a difference.

Quite mysterious why #cf-agent isn't being found under a normal user terminal session.

damo · 2016-02-15 21:34:55

BigBrownHawk wrote:

Hey damo,
Here's what my code looks like:
warhammer ALL=(ALL) NOPASSWD: /var/cfengine/bin/cf-agent
I placed the warhammer user line right under:
%sudo ALL=(ALL:ALL) ALL
IDK if that makes a difference.
Quite mysterious why #cf-agent isn't being found under a normal user terminal session.

Order does make a difference in the sudoers file - later matches override previous ones (see `man sudoers`)

And it isn't at all mysterious why a non-$USER command isn't found when run by $USER. The file is present (which, find, locate, apropos, dmenu etc should all find it), but the command isn't, because it can only be run by root or with sudo.

Horizon_Brave · 2016-02-15 21:35:29

damo wrote:

EDIT ninja'd by H_B. The guy is getting too good

I know your joking, but that seriously means a lot to me.

damo · 2016-02-15 21:39:14

Horizon_Brave wrote:

damo wrote:
EDIT ninja'd by H_B. The guy is getting too good
I know your joking, but that seriously means a lot to me.

Not joking at all. You have been asking clever questions which have challenged my own understanding - I have to double-check what I thought I knew. And now you are giving back to the community with helpful answers. Win-win for everyone in my book!

BigBrownHawk · 2016-02-15 22:24:33

Very nice, I ran it with sudo and it didn't ask for the password! Thanks for the help damo and Horizon_Brave

[SOLVED]
Things to remember
1) Edit sudoers and add this line

warhammer ALL=(ALL) NOPASSWD: /var/cfengine/bin/cf-agent

2) Run the command but still include sudo!

sudo cf-agent --bootstrap my.domain.name

3) Go buy some Coors Light.

damo wrote:

BigBrownHawk wrote:
Hey damo,
Here's what my code looks like:
warhammer ALL=(ALL) NOPASSWD: /var/cfengine/bin/cf-agent
I placed the warhammer user line right under:
%sudo ALL=(ALL:ALL) ALL
IDK if that makes a difference.
Quite mysterious why #cf-agent isn't being found under a normal user terminal session.
Order does make a difference in the sudoers file - later matches override previous ones (see `man sudoers`)
And it isn't at all mysterious why a non-$USER command isn't found when run by $USER. The file is present (which, find, locate, apropos, dmenu etc should all find it), but the command isn't, because it can only be run by root or with sudo.

#1 2016-02-15 19:09:47

[SOLVED] Automating Package Update Sudoers

#2 2016-02-15 19:32:32

Re: [SOLVED] Automating Package Update Sudoers

#3 2016-02-15 19:48:24

Re: [SOLVED] Automating Package Update Sudoers

#4 2016-02-15 19:52:23

Re: [SOLVED] Automating Package Update Sudoers

#5 2016-02-15 20:55:47

Re: [SOLVED] Automating Package Update Sudoers

#6 2016-02-15 21:03:34

Re: [SOLVED] Automating Package Update Sudoers

#7 2016-02-15 21:21:36

Re: [SOLVED] Automating Package Update Sudoers

#8 2016-02-15 21:34:55

Re: [SOLVED] Automating Package Update Sudoers

#9 2016-02-15 21:35:29

Re: [SOLVED] Automating Package Update Sudoers

#10 2016-02-15 21:39:14

Re: [SOLVED] Automating Package Update Sudoers

#11 2016-02-15 22:24:33

Re: [SOLVED] Automating Package Update Sudoers

Board footer