Running a command on linux under sudo -u

nancycarden
Kilo Contributor

In discovering Oracle instances on Linux servers, read permission is required to read the configuration files and run permission is required to run {ORA_HOME}/bin/lsnrctl. Our security folks want to accomplish this by granting our discovery account the ability to run the scripts under sudo by specifying the account like so:

(oracle) NOPASSWD: /tmp/snc-*-oracle_instance.sh *, /tmp/oracle_instance.sh *, (oracle) /tmp/snc-*-oracle_listener.sh *, /tmp/oracle_listener.sh *

I modified the probe ECC queue name several different ways in order to get this to work. I set the must_sudo param to false and changed the ECC queue name to:

sudo -u oracle sh ${file:oracle_instance.sh} ${sid}

but that didn't work. The only way I could get it to work was to copy the script file down to /tmp on the target server, set must_sudo to false, and modify the ECC queue name to reference the script file directly:

sudo -u oracle sh ${file:/tmp/oracle_instance.sh} ${sid}

Not exactly a workable solution. Does anyone know of a way to make this work?

thanks in advance!

Nancy

13 REPLIES 13

evanqu
ServiceNow Employee
ServiceNow Employee

Yes, that will apply to all 'sudo' transactions.



Mid server assumes that on one target machine, one privileged command is enough for all transactions. So in this case, you may want to have a script act as a "customized sudo", let's call the script "mySudo". In the script, you have some logic like this:


       


        If it's oracle


                  Run "sudo -u oracle xxxx"


        else


                  Run "sudo xxxx"



And you can set "mid.ssh.privileged_commands" to "mySudo". Not sure if this works for you, but requiring multiple privileged commands on one machine is bad practice and it's not recommended.



Thanks


-Evan


where do you configure this script and who do you point the "mid.ssh.privileged_commands" to it?


robm
Kilo Expert

Did you ever get this figured out, I'm currently trying to do sudo -u oracle but am getting 

-u: not found [No such file or directory]. It seems there's something odd about the way SN executes things as sudo

Henrik Jutterst
Tera Guru

Hi there all.

Found this post, looking for exactly the same thing 🙂 

I solved it and pasted my solution here: Running script file from Pattern as another user using sudo -u command