How to run root level command , if user has "su -" permission in sudoers provided?


 
Thread Tools Search this Thread
Top Forums UNIX for Beginners Questions & Answers How to run root level command , if user has "su -" permission in sudoers provided?
# 1  
Old 01-22-2020
How to run root level command , if user has "su -" permission in sudoers provided?

I am looking t run root level command on multiple servers, but all servers have only "su - " permission available in sudoers.
please help me if any way that I can run command using help of "su -"

My script

Code:
for hosts in `cat hosts.txt`;
do
echo "###########################Server Name- $hosts ----Ruinng script-Please Wait--- Please wait###########################"
ssh -q -t  abc@$hosts sudo -S <<< "abc" systemctl restart crond
done

Error----------
Code:
[sudo] password for abc:
Sorry, user abc is not allowed to execute 'systemctl restart crond' as root on xyz.domain1.com

Code:
    
[abc@localhost ~]$ sudo -l
(root) NOPASSWD: /bin/su -


Last edited by vbe; 01-27-2020 at 11:27 AM..
# 2  
Old 01-22-2020
Hi, have you tried: su -c "<cmd>"

hth
# 3  
Old 01-26-2020
Tried, getting same permission error

Code:
[abc@xyz ~]$ sudo su -c  systemctl restart crond
[sudo] password for deepak:
Sorry, user abc is not allowed to execute '/bin/su -c systemctl restart crond' as root on node1.xyz.com.


Code:
[abc@xyz ~]$  su -c  systemctl restart crond
su: user restart does not exist

Permission in sudoers.............

Code:
[abc@xyz ~]$ sudo -l
User abc may run the following commands on xyz:
    (root) NOPASSWD: /bin/su -


Last edited by Scrutinizer; 01-26-2020 at 03:11 PM.. Reason: additional code tags
# 4  
Old 01-26-2020
That means you must exactly run sudo su -.
The following is an attempt to feed that with the desired command
Code:
for host in `cat hosts.txt`
do
  echo "###########################Server Name- $host ----Running script-Please Wait--- Please wait###########################"
  ssh -q -x -t  abc@$host "sudo su -" <<< "systemctl restart crond"
done

# 5  
Old 01-27-2020
The privilege you have permits you to become the superuser, but not to directly run anything from your account but as the superuser.

If you can become the superuser, then I presume you are the system administrator (or part of the team) so you should know how to write yourself the appropriate sudo rule. Can you show us what you have tried?


- - CAUTION - -
If you break the sudo rules, then it is possible to lock yourself out, i.e. if they are invalid then you may not be able to even sudo su - like you can at the moment.
Make sure you have several superuser session already connected before you do this, and better to use the visudo tool too. It protects you somewhat, but it's probably not infallible.
Take copies of any files before you changes them and make sure you have a way and privilege to put them back if you need to. Save the permissions, else sudo may still refuse to run.
# 6  
Old 01-27-2020
If you need to restart crond then you add a rule for that in /etc/sudoers.d/yourfilename
Rules must be added specifically per service using entire restart/stop string e.g systemctl stop crond, systemctl start crond
Best to call filename as user which needs to run the elevated command e.g ansible for instance, but that's a choice.

The more specific you are in your sudo definition, more secure your system is.
Adding custom scripts can be a major attack vector for unauthorized access.

Worst case scenario is using shell redirection capabilities to accomplish such task, opposing configuring your system properly.

But each to his own, as they say Smilie

Regards
Peasant.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Permission error when "touch"ing file with different user

Hi, There are 2 users (T886072 & T864764) that need to be provided full (rwx) access to a directory. I made the changes to the directory permissions using chmod and setfacl : root@digidb2:# chmod 700 /u02/ftpfiles/MFRS16/discount_rates/ root@digidb2:# setfacl -s... (3 Replies)
Discussion started by: anaigini45
3 Replies

2. UNIX for Dummies Questions & Answers

Using "mailx" command to read "to" and "cc" email addreses from input file

How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address and column 3 contains “cc” e-mail address to include with same email. Sample input file, email.txt Below is an sample code where... (2 Replies)
Discussion started by: asjaiswal
2 Replies

3. AIX

Change "root" to "root.admin" in outgoing e-mails

Our AIX servers send e-mails which have the "from" address set to "root@company.com" for our root user ("C{M}company.com" in /etc/sendmail.cf). The problem is that when bad e-mails are sent out or rejected by remote servers, they are being returned and delivered to e-mail box of "Mary Root". ... (2 Replies)
Discussion started by: kah00na
2 Replies

4. Shell Programming and Scripting

Rsync is not working at root "/" level between two servers

copying daily changes from serverA to serverB using rsync(solaris8, v2.6.2) at root folder level. serverA: cd / rsync -a -vv --delete --checksum --sparse --stats --dry-run --exclude /tmp/ --exclude /proc/ --exclude /devices/ . root@<IP of ServerB>:/ This is generating mainly three debug... (0 Replies)
Discussion started by: kchinnam
0 Replies

5. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

6. UNIX for Dummies Questions & Answers

changing password with sudo user " permission denied"

HI All, I am using solaris i created a user adam and updated his permissions in vi sudoers file as follows adam ALL=(ALL) NOPASSWORD: ALL ........... when i create user by logging as sudo user . $ sudo useradd -d /home/kalyan -m -s /bin/sh kalyan sudo: not found ... (6 Replies)
Discussion started by: kalyankalyan
6 Replies

7. UNIX for Dummies Questions & Answers

crontab does not run "root" job

hi, I've read different posts regarding crontab but none helped out...the shell scrip that I want to run through crontab gets run through crontab when I use the following crontab statement: 13 17 * * * /usr/net/gcc/DBdrop.sh > /usr/net/gcc/DBdrop.log 2>&1 but it does not run when I scheduel... (2 Replies)
Discussion started by: linux0004
2 Replies

8. Red Hat

How do I run my "SMTP" service as a root privilege ?

Friends , i want to run my smtp service as a root . let me know what r the changes i have to made to my machine . AVklinux (1 Reply)
Discussion started by: avklinux
1 Replies

9. Solaris

sendmail "root... User address required." error

I'm running sendmail (8.13.8+Sun/8.13.8/Submit) solaris 10. When I send mail to root at the command line (whether I use a full-qualified address or just root), I get the error message root... User address required. Sending mail to root (either at the command line or in a cron job),... (10 Replies)
Discussion started by: csgonan
10 Replies

10. UNIX for Dummies Questions & Answers

No utpmx entry: you must exec "login" from lowest level "shell"

Hi I have installed solaris 10 on an intel machine. Logged in as root. In CDE, i open terminal session, type login alex (normal user account) and password and i get this message No utpmx entry: you must exec "login" from lowest level "shell" :confused: What i want is: open various... (0 Replies)
Discussion started by: peterpan
0 Replies
Login or Register to Ask a Question