Running a command on linux under sudo -u
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-31-2016 11:08 AM
In discovering Oracle instances on Linux servers, read permission is required to read the configuration files and run permission is required to run {ORA_HOME}/bin/lsnrctl. Our security folks want to accomplish this by granting our discovery account the ability to run the scripts under sudo by specifying the account like so:
(oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *
I modified the probe ECC queue name several different ways in order to get this to work. I set the must_sudo param to false and changed the ECC queue name to:
sudo -u oracle sh ${file:oracle_instance.sh} ${sid}
but that didn't work. The only way I could get it to work was to copy the script file down to /tmp on the target server, set must_sudo to false, and modify the ECC queue name to reference the script file directly:
sudo -u oracle sh ${file:/tmp/oracle_instance.sh} ${sid}
Not exactly a workable solution. Does anyone know of a way to make this work?
thanks in advance!
Nancy
- Labels:
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-01-2016 08:12 AM
You are correct, Aleck. I was typing from memory, and I was wrong. The ECC queue name should be:
sudo -u oracle sh /tmp/oracle_instance.sh ${sid}
This worked. I did check to see where the command is running from, and from what I can tell it is running from /tmp.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-01-2016 08:23 AM
Aleck,
On further investigation, it looks like the filenames that get executed look something like this:
sh /tmp/snc_7671a3f637752200ea2a5a7643990e05_73_0
They are running out of /tmp, but the filename isn't the same as I expected. So you're thinking that my ECC queue name should work this way:
sudo -u oracle sh ${file:oracle_instance.sh} ${sid}
but I just have my sudoers file configured wrong. Instead of
(oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *
It should be:
(oracle) NOPASSWD: /tmp/snc_*
Is that correct? I'll get my security admin to check it out.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-08-2016 06:29 PM
Nancy,
That's exactly what I'm thinking. The file name is a logical name on the instance so that you can match it up with the name specified in the probe parameter, but I vaguely remember that it's not that case when it gets down to the tmp folder.
Did you have a chance to try?
thanks
Aleck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-01-2016 08:39 AM
Hi Nancy,
Starting at Geneva Patch 8 and Helsinki Patch 2, you can do this by setting the mid server config parameter "mid.ssh.privileged_commands" to "sudo -u oracle". And for the probe name just keep "sudo sh ${file:oracle_instance.sh} ${sid}".
You can see the documentation here: Configure the MID Server to use specific privileged commands
Thanks
-Evan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-01-2016 08:46 AM
Evan,
Thanks for your answer. I'm assuming that if I configure this at the mid-server level, then it applies to all transactions that use 'sudo' that run on that mid-server, correct? If that's the case, then it won't work for us. We only want to execute the oracle-related probes under the oracle user. Our discovery account has sudo privileges to execute other commands as itself.
Thanks,
Nancy
