Running a command on linux under sudo -u

nancycarden
Kilo Contributor

In discovering Oracle instances on Linux servers, read permission is required to read the configuration files and run permission is required to run {ORA_HOME}/bin/lsnrctl. Our security folks want to accomplish this by granting our discovery account the ability to run the scripts under sudo by specifying the account like so:

(oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *

I modified the probe ECC queue name several different ways in order to get this to work. I set the must_sudo param to false and changed the ECC queue name to:

sudo -u oracle sh ${file:oracle_instance.sh} ${sid}

but that didn't work. The only way I could get it to work was to copy the script file down to /tmp on the target server, set must_sudo to false, and modify the ECC queue name to reference the script file directly:

sudo -u oracle sh ${file:/tmp/oracle_instance.sh} ${sid}

Not exactly a workable solution. Does anyone know of a way to make this work?

thanks in advance!

Nancy

13 REPLIES 13

You are correct, Aleck. I was typing from memory, and I was wrong. The ECC queue name should be:



sudo -u oracle sh /tmp/oracle_instance.sh ${sid}



This worked. I did check to see where the command is running from, and from what I can tell it is running from /tmp.


Aleck,



On further investigation, it looks like the filenames that get executed look something like this:



sh /tmp/snc_7671a3f637752200ea2a5a7643990e05_73_0



They are running out of /tmp, but the filename isn't the same as I expected. So you're thinking that my ECC queue name should work this way:



        sudo -u oracle sh ${file:oracle_instance.sh} ${sid}



but I just have my sudoers file configured wrong. Instead of



        (oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *



It should be:



        (oracle) NOPASSWD: /tmp/snc_*



Is that correct? I'll get my security admin to check it out.



Thanks.


Nancy,



That's exactly what I'm thinking. The file name is a logical name on the instance so that you can match it up with the name specified in the probe parameter, but I vaguely remember that it's not that case when it gets down to the tmp folder.



Did you have a chance to try?



thanks



Aleck


evanqu
ServiceNow Employee
ServiceNow Employee

Hi Nancy,



Starting at Geneva Patch 8 and Helsinki Patch 2, you can do this by setting the mid server config parameter "mid.ssh.privileged_commands" to "sudo -u oracle". And for the probe name just keep "sudo sh ${file:oracle_instance.sh} ${sid}".



You can see the documentation here: Configure the MID Server to use specific privileged commands



Thanks


-Evan


Evan,



Thanks for your answer. I'm assuming that if I configure this at the mid-server level, then it applies to all transactions that use 'sudo' that run on that mid-server, correct? If that's the case, then it won't work for us. We only want to execute the oracle-related probes under the oracle user. Our discovery account has sudo privileges to execute other commands as itself.



Thanks,


Nancy