How can I use docker without sudo?

Question

Socrates

Asked: 2024-01-31 18:42:02 +0800 CST2024-01-31 18:42:02 +0800 CST 2024-01-31 18:42:02 +0800 CST

Setting DEBIAN_FRONTEND remotely

772

Is there any way to set DEBIAN_FRONTEND=noninteractive when executing a script remotely via SSH?

Doing so I get this error:

sudo: sorry, you are not allowed to set the following environment variables: DEBIAN_FRONTEND

The reason I want to set DEBIAN_FRONTEND=noninteractive at exactly this place is because sometimes apt-get dist-upgrade shows a mask for some user interaction (whiptail). As want to run this script remotely via crontab -e there is no human to klick or press anything. Hence, I need to turn that off as the script would otherwise remain stuck.

The script I am trying to execute is located on server_one in /usr/local/bin/perform-update:

#!/bin/bash

sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
sudo apt-get -y autoremove
sudo snap refresh

I try to call it from server_two using this command:

SERVER_COMMAND="perform-update"
ssh -i $HOME/.ssh/id_rsa backupuser@server_one $SERVER_COMMAND

I have also set the appropriate rights for backupuser on server_one in sudo visudo:

backupuser      ALL=(ALL) NOPASSWD: /usr/local/bin/perform-update
backupuser      ALL=(ALL) NOPASSWD: /usr/bin/apt-get
backupuser      ALL=(ALL) NOPASSWD: /usr/bin/snap

2 Answers

Voted

muru · Answer 1 · 2024-01-31T18:45:52+08:00

You could allow the user to set the DEBIAN_FRONTEND variable when using sudo, but ... you have granted permission for the user to execute the script using sudo, so there's no reason to then use sudo inside the script. Just run the script itself with sudo.

Change your script to:

#! /bin/bash
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y autoremove
snap refresh

And then run it using:

ssh -i "$HOME/.ssh/id_rsa" backupuser@server_one sudo "$SERVER_COMMAND"

That said, you should be using unattended-upgrades instead of re-inventing the wheel.

For the particular case of allowing a user to set an environment variable for a specific command, add the SETENV tag in addition to the NOPASSWD tag. From man sudoers:

 SETENV and NOSETENV

   These tags override the value of the setenv flag on a per-command basis.  If SETENV has
   been set for a command, the user may disable the env_reset flag from the command line via
   the -E option.  Additionally, environment variables set on the command line are not
   subject to the restrictions imposed by env_check, env_delete, or env_keep.  As such, only
   trusted users should be allowed to set variables in this manner.  If the command matched
   is ALL, the SETENV tag is implied for that command; this default may be overridden by use
   of the NOSETENV tag.

So the rule should look like:

backupuser      ALL=(ALL) NOPASSWD:SETENV: /usr/bin/apt-get

Daniel T · Answer 2 · 2024-01-31T19:51:29+08:00

For all practical intents and purposes please see @muru's answer. If in a hurry, only the sudo change on the ssh line on server_two is necessary, and the /usr/local/bin/perform-update script on server_one does not need to be edited. But for security reasons, it should be followed in its entirety, plus my edit at the end of my answer.

What if we consider things the other way? What if we couldn't change the command on server_two and could only change the command on server_one? I was looking for an APT option to just set an environment variable, but I found more than I expected. Here is an outrageous out-of-the-box answer just to demonstrate that your /etc/sudoers policy needs to be secured.

#!/bin/bash
# Put this in /usr/local/bin/perform-update
# No need to manually change any other file

# Use the -o to inject any arbitrary apt-config option.
# First write a wrapper file to execute later that
# sets up DEBIAN_FRONTEND=noninteractive and passes on the arguments.
sudo apt-get update -o APT::Update::Pre-Invoke::='echo '\'$'#!/bin/sh\nexport DEBIAN_FRONTEND=noninteractive\nexec /usr/bin/dpkg "$@"'\'' > /usr/dpkg; chmod 700 /usr/dpkg'
# Then use -o again to make dist-upgrade use the wrapper.
sudo apt-get -y dist-upgrade -o Dir::Bin::dpkg=/usr/dpkg
# autoremove should use DEBIAN_FRONTEND=noninteractive too because
# removing some packages like display managers may cause prompting.
sudo apt-get -y autoremove -o Dir::Bin::dpkg=/usr/dpkg
sudo snap refresh

I do not think you intended to give backupuser full root access. To secure your system, you need to the remove apt-get and snap lines in visudo, then follow @muru's answer.

EDIT: Except you need to remove apt-get line instead in visudo. Those 3 lines should be replaced with just the first line:

backupuser      ALL=(ALL) NOPASSWD: /usr/local/bin/perform-update

Setting DEBIAN_FRONTEND remotely

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?