What is the correct way to use NOPASSWD?

I

Ilya Trusov2016-01-20 19:29:07

ubuntu

Ilya Trusov, 2016-01-20 19:29:07

Hello. The task is this. Run script as sudo without password as user 'user'.
In /etc/sudoers I did this:
user ALL=NOPASSWD: /opt/scripts/create_user
output sudo -l

Matching Defaults entries for 'user' on s-apps:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User 'user' may run the following commands on s-apps:
(root) NOPASSWD: /opt/scripts/create_user
(ALL : ALL) ALL

On startup:

sudo -u user /bin/bash create_user user_xe1qGnFNmatHzycPKKvk PXeV5NSIhhhiSRg7OHxk

Asks for a password. Why is not clear.
The script itself. And as I understand it, the script itself is launched, and Permission is denied precisely for the commands in it.

#!/bin/bash

#Create user
useradd -d /home/$1 -m $1 -s /bin/bash

#Create dir
mkdir /opt/jails/$1

#Include staf
jk_init -v -j /opt/jails/$1 sftp scp
jk_init -j /opt/jails/$1 jk_lsh
jk_init -j /opt/jails/$1 basicshell
jk_init -j /opt/jails/$1 extendedshell
jk_cp -v -f /opt/jails/$1 /bin/bash

#Add user in jail
jk_jailuser -m -j /opt/jails/$1 $1

#Set password for user
echo "$1:$2" | chpasswd

It's also worth mentioning that the user 'user' is in the sudo group. Maybe this is causing more problems.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

mureevms, 2016-01-20
@artgrosvil

Apparently like. In sudoers, the user user should be allowed to execute commands:
And there should be write permissions to /opt/jails/
In general, insert echo after each command and catch where it doesn’t work.

R

Rsa97, 2016-01-20
@Rsa97

So in sudoers the user 'user' is given the rights to run /opt/scripts/create_user as root, and the command runs /bin/bash on behalf of user'a.

L

LevZ, 2021-12-29
@LevZ

Nowhere can they really answer normally, damn it. It's time to settle the matter once and for all

Firstly, any command/script from under is one- sudotime executed under the specified user (root by default) until the end of the command/script. Those. sudo /opt/scripts/create_userin this case, it will execute all script commands as root. If you need to execute the command from under another user, add it -u <username>to sudo.
Secondly, so that you do not need to enter a password to run a specific command with sudo, you really need to add a line like user ALL=NOPASSWD: /opt/scripts/create_user, but the sequence is important here - the author overwrites this line with a rule ALL=(ALL) ALL(written for a group of superusers, for example, in CentOS usually:) %wheel ALL=(ALL) ALL, which is located below in sudoers file.
Thirdly, you need to understand what kind of ALLs are: the first is the host, the second in brackets is the user (you can also specify the group through ":" as in chown), and the third is the commands. Those. for users of the wheel group, the right to execute any commands on any hosts from any users is given, but with a repeated password entry. Read man sudoerson and may the force be with you.

That. solution:

move the line user ALL=NOPASSWD: /opt/scripts/create_userbelow the rest,
run the script with a command sudo /opt/scripts/create_user- inside everything will be executed already under root

So you don’t need to delete lines in sudoers, you don’t need to shove ALL everywhere, you don’t need to hang sudo in the script for each command. All goodness and knowledge.