I need to allow a specific command on a Debian Linux box for a single user. I've tried this in the /etc/sudoers file:
# User privilege specification
zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'
This does not work as expected. If I run the command as user zabbix with sudo, it asks for the password (although I have specified the NOPASSWD option).
However, this works:
# User privilege specification
zabbix ALL=NOPASSWD: /usr/bin/apt-get
But has the drawback that all subcommands of apt-get are allowd. Is there a way how I can fix this to only allow a specific command?
You are probably falling foul of the way that redirection interacts with sudo. The redirection is performed at the calling user not the privileged user. It would probably be easier for you to wrap you command in a script and to then allow the zabbix user to run that script e.g.
the set sudoers as
Now the whole script will be run as the privileged user and not just the particular apt-get command. Do though ensure that the zabbix user cannot write to the script.
I disagree with lain. Although it will work, You do not need
awkto run as root. I would not be comfortable with this because you might be able to attackawkin some way. It is a full programming language interpreter after all.When one runs
sudo /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}', They are actually runningsudo /usr/bin/apt-get --print-uris -qq -y upgradeand then piping/redirecting as the calling user.Try this:
zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgradeBy the way, there is nothing wrong with putting this in a script as lain does and you could still do that. I would just avoid running awk as root if possible.