How do I run a cat command under sudo in a linux SSH probe?

HugoFirst · ‎12-04-2015

I have a need to capture the contents of some files on Linux systems using Discovery probes.

I succeeded in using "cat filename" for files which are openly accessible.

I now need to capture some files which are secured for root access.

I'm trying to use SUDO with the command, but it's not working.

The most common error I get back is "User has no right to use this command with sudo: sudo /bin/cat /etc/grub.conf".

Note that I have logged on as the discovery user and manually run just that command with no problem.

I added probe parameters for debug and debug_ssh, but so far, I'm finding nothing in the log file and there is no ssh.log file under .../agent/logs/

I've tried combinations of values in the ECC Queue Name of "/bin/cat /etc/grub.conf" and "sudo /bin/cat /etc/grub.conf" and I've varied the use of the probe parameter "must_sudo".

All to no avail.

So I'm open to whatever advice you are willing to lend. Whether to fix or to help debug.

Thanks in advance for your help.

tony_barratt · ‎12-05-2015

Hi Steve,

There is a wiki article here

Credentials - ServiceNow Wiki

Which explains what entries are required in /etc/sudoers to facilitate running commands with rootly powers

such as

Disco ALL=(root) /sbin/dmidecode

So I reckon if

Disco ALL=(root) /bin/cat

was added to the /etc/sudoers

then sudo /bin/cat /etc/grub.conf

would succeed.

Not sure if a request to facilitate reading all files on a server would be successful, if you had some specific files you wanted to cat you could request

that a line for each file you wanted cat-ed, like so:

Disco ALL=(root) /bin/cat /etc/grub.conf

Just so you know, the above suggestions are based on my linux/unix knowledge not an in-depth knowledge of ServiceNow discovery.

Best Regards

Tony

View solution in original post

tony_barratt · ‎12-05-2015

Hi Steve,

There is a wiki article here

Credentials - ServiceNow Wiki

Which explains what entries are required in /etc/sudoers to facilitate running commands with rootly powers

such as

Disco ALL=(root) /sbin/dmidecode

So I reckon if

Disco ALL=(root) /bin/cat

was added to the /etc/sudoers

then sudo /bin/cat /etc/grub.conf

would succeed.

Not sure if a request to facilitate reading all files on a server would be successful, if you had some specific files you wanted to cat you could request

that a line for each file you wanted cat-ed, like so:

Disco ALL=(root) /bin/cat /etc/grub.conf

Just so you know, the above suggestions are based on my linux/unix knowledge not an in-depth knowledge of ServiceNow discovery.

Best Regards

Tony

HugoFirst · ‎12-10-2015

It is hard to pick one answer as the correct one. Elements from several answers came into play and I wouldn't have got it working without all of your help.

Thanks to Tony, Tim and Ankush!

We have it working now, but I'm still concerned about the ability to cat shadow. So I'll work with our Unix admins to close that issue out.

I'll then summarize my final solution here.

tim_broberg · ‎12-06-2015

What Tony said.

The ssh client logs in as your discovery user and runs "sudo -l" to discover what permissions he has under sudo. If it thinks it doesn't have permission for your command, it gives the error message you're seeing.

You might want to log in manually and use visudo to adjust your sudoers config until sudo -l reports that you may cat this file.

Be *super* careful about cat permissions and wildcards. This is a very touchy area, and you don't want to inadvertently allow cat'ting files like /etc/shadow.

- Tim.

Ankush13 · ‎12-06-2015

Put NOPASSWD in sudoers file for your discovery user to run 'cat ' without the need of a password. Something like "discusr ALL=(ALL) NOPASSWD: /usr/bin|sbin/cat"