Running a command on linux under sudo -u

nancycarden
Kilo Contributor

‎10-31-2016 11:08 AM

In discovering Oracle instances on Linux servers, read permission is required to read the configuration files and run permission is required to run {ORA_HOME}/bin/lsnrctl. Our security folks want to accomplish this by granting our discovery account the ability to run the scripts under sudo by specifying the account like so:

(oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *

I modified the probe ECC queue name several different ways in order to get this to work. I set the must_sudo param to false and changed the ECC queue name to:

sudo -u oracle sh ${file:oracle_instance.sh} ${sid}

but that didn't work. The only way I could get it to work was to copy the script file down to /tmp on the target server, set must_sudo to false, and modify the ECC queue name to reference the script file directly:

sudo -u oracle sh ${file:/tmp/oracle_instance.sh} ${sid}

Not exactly a workable solution. Does anyone know of a way to make this work?

thanks in advance!

Nancy

Labels:
0 Helpfuls
  • 2,393 Views
13 REPLIES 13

doug_schulze
ServiceNow Employee
ServiceNow Employee

‎10-31-2016 11:14 AM

Have you tried calling sudo inside the script and just letting that define what command gets elevated?


0 Helpfuls

nancycarden
Kilo Contributor
In response to doug_schulze

‎10-31-2016 11:30 AM

Doug,



Thanks for the reply. I didn't try that. But if I'm not mistaken, that would require an entry in the sudoers file for each command within the script that requires elevated permissions. Our security guy seemed to think it would be easier to have the script itself run under the Oracle user, instead of picking it apart and granting elevated permissions for each command.



Or am I totally off base here? I'm still learning my way around discovery and how it works.



thanks,


Nancy


0 Helpfuls

doug_schulze
ServiceNow Employee
ServiceNow Employee
In response to nancycarden

‎10-31-2016 09:03 PM

Ahh,.. Yes, I hear what your saying.. hmm..



Not sure that can happen, but fairly have never come across that need...So, I dunno..



Let me ask around and maybe the community can chime in if they have come across this before, .. Ill let you know what I find out...


0 Helpfuls

aleck_lin
ServiceNow Employee
ServiceNow Employee

‎10-31-2016 09:48 PM

Nancy,



What's the error message you're getting?



I'm actually a little surprised that you said the second way worked because I would've expected a syntax error... if it looked like the following, then it makes more sense for me.



        sudo -u oracle sh /tmp/oracle_instance.sh ${sid}



I would suggest looking at a couple of things.


1. The temp file where the script file is downloaded to, are you sure it's in the /tmp folder?


2. The name might be not (not remember exactly) exact, so double check the filename when it's actually executed.



let me know what you find.



Aleck


0 Helpfuls