How to set the path of the sudo command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-27-2015 08:40 AM
How do you set the path to the sudo command?
I am trying to run discovery on Solaris 10 targets and the sudo command is not in the ServiceNow paths. As far as i could see adding the path_override variable or setting PATH in .profile doesn't work. The command i am trying to run is an ECC one liner.
- Labels:
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-27-2015 09:03 AM
Claudiu,
The path is set at logon and there is no way to set a specific value for just for sudo. So if you are using the path_override parameter.. be sure to include the default paths and the one where sudo is located.
Then be sure in your probe you have added the must_sudo = true probe parameter
That should work.. let us know if you are seeing anything different..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-27-2015 09:29 AM
Hi Doug,
Yes, I am seeing a different behavior. If i have the probe parameters must_sudo = true and path_override set to default ServiceNow path plus my extra path sudo command is still not found.
An example would be the default Fuji probe "Unix - Active Connections" ran against solaris target. It uses must_sudo and the lsof command. On my systems both are in /usr/local/bin. If i don't use path_override sudo and lsof are not found. If i set path_override then lsof runs , but the sudo command complains that is not found.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-31-2015 04:04 AM
Do you have sudo installed in the first place? Have you tested that manually? I would compare the paths by logging in as a normal user who can sudo and as the discovery user who can't. The difference is what needs to be removed. Just a guess to investigate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-31-2015 05:16 AM
Here is a detailed explanation of tests that hopefully will better describe the problem.
$ which SNtest.sh
/usr/local/bin/SNtest.sh
$ which sudo
/usr/local/bin/sudo
Test script was :
$ cat /usr/local/bin/SNtest.sh
echo "I am "`id`
echo $PATH
I just run a probe by calling a script on the server (not via file in SN) via ECC queue name ("/usr/local/bin/SNtest.sh") . debug parameter was true all the time.
1) First simple run with full path of script in ECC /usr/local/bin/SNtest.sh
<result><output>I am uid=111111(srvc_user) gid=111111(srvc_user)
/usr/bin:/bin:/usr/sbin:/usr/bin:/bin:/sbin</output></result>
2) Second run without full path just SNtest.sh
<results error="ksh: SNtest.sh: not found
Exit status: 127
" post_processing_time="0" probe_time="109"><result error="ksh: SNtest.sh: not found
Exit status: 127
"><output/>
- Notice that the command did not run because it was not found in any of the default PATH locations it tried
3) ECC of SNtest.sh and path_override of "/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin"
<result><output>I am uid=111111(srvc_user) gid=111111(srvc_user)
/usr/bin:/bin:/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin</output></result>
- Notice command has run and PATH was overwritten
4) Same as run 3 but with the replace option
<result><output>I am uid=111111(srvc_user) gid=111111(srvc_user)
:/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin</output></result>
- This time the first 2 paths (provided by default in solaris) are gone and we are left with just the PATH we provided in path_override
Up until now path_override has behaved as expected. Now let's add must_sudo to the mix. Given that sudo and the custom script are in the same folder , it should not complain. Also the srvc_user user has access to run this command.
This is the output from shell as srvc_user user:
$ /usr/local/bin/sudo /usr/local/bin/SNtest.sh
I am uid=0(root) gid=0(root)
/usr/bin:
5) Running the command same as run 4 , but this time with must_sudo=true
<result warn="The sudo command is not present, or user has no right to use it"><output>I am uid=111111(srvc_user) gid=111111(srvc_user)
:/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin</output></result>
- Nottice the sudo error, even if PATH includes /usr/local/bin and the script runs as srvc_user user not root.
- And if we look into the logs of the mid server you can notice that the PATH is actually overwritten only when the command is run. If we have must_sudo set then the probe will test the sudo command prior to actually running the intended command, but without the overwritten path so it fails the sudo test and just runs the probe without elevated privileges
Probe: SSHCommand:SNtest.sh:server.example.com DEBUG: Sudo help command: sudo -h; exit 0
……
As ASCII: ^........ksh: sudo: not found
……
Probe: SSHCommand:SNtest.sh:server.example.com DEBUG: Command being executed: PATH=":/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin"; SNtest.sh
6) The final test is same as test 5 but with a link for the sudo command in a location where srvc_user will find it before it sets the PATH variable (a workaround that is not acceptable in our environment yet)
<result><output>I am uid=0(root) gid=0(root)
:/usr/sbin:/usr/bin:/bin:/sbin:/usr/local/bin</output></result>
- Nottice uid of 0 since it was run successfully as root
