I need to allow a specific command on a Debian Linux box for a single user. I've tried this in the /etc/sudoers
file:
# User privilege specification
zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'
This does not work as expected. If I run the command as user zabbix with sudo, it asks for the password (although I have specified the NOPASSWD
option).
However, this works:
# User privilege specification
zabbix ALL=NOPASSWD: /usr/bin/apt-get
But has the drawback that all subcommands of apt-get
are allowd. Is there a way how I can fix this to only allow a specific command?
Best Answer
I disagree with lain. Although it will work, You do not need
awk
to run as root. I would not be comfortable with this because you might be able to attackawk
in some way. It is a full programming language interpreter after all.When one runs
sudo /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'
, They are actually runningsudo /usr/bin/apt-get --print-uris -qq -y upgrade
and then piping/redirecting as the calling user.Try this:
zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade
By the way, there is nothing wrong with putting this in a script as lain does and you could still do that. I would just avoid running awk as root if possible.