remove specifying the full path in sudoers

1

I am trying to add a NOPASSWD entry for 'sudotest.sh' (or any script/binary that requires sudo) in my /etc/sudoers file (redhat) but in order to make it work, I must specify the full path. The following entry works just fine:

%jenkins ALL=(ALL)NOPASSWD:/home/vts_share/test/sudotest.sh

The problem is that the script might move to a different directory. I tried as giving /home/*/sudotest.sh but didn't work for me when I tried to execute sudo ./sudotest.sh,it gave me you dont have root permission

Note:I can't have permission to /bin/sh directory too.

sijo jose

Posted 2014-02-14T08:25:58.453

Reputation: 11

Any answer acceptable as solution, or any further questions? – davidbaumann – 2018-05-09T12:49:49.203

Answers

1

This is not possible. What you could do is symlink sudotest.sh to a static place which is specified in sudoers.

Example:

real file: /home/vts_share/test/sudotest.sh
symlink: /usr/bin/sudotest.sh

SUDOERS entry:

%jenkins ALL=(ALL)NOPASSWD:/usr/bin/sudotest.sh

If the file moves, simply re-symlink it to /usr/bin/sudotest.sh - no need to change SUDOERS again. You could script it as well... updatedb, locate sudotest.sh, ln -s, which you could put in cron... ugly hack, but it'll work

Smoothie

Posted 2014-02-14T08:25:58.453

Reputation: 351

1@davidbaumann I agree fully. This is a VERY bad idea, but, it does answer the question asked... A better option would be to create a group in SUDOERS with all required commands and give NOPASSWD access to a very specific user (service role). – Smoothie – 2014-02-14T11:12:24.837

1

This is no good idea, as the user can create an own sh file with the same name and insert his own commands.
He should not even be allowed to change the initial file content, it should be placed in a folder where he cannot write to.

davidbaumann

Posted 2014-02-14T08:25:58.453

Reputation: 2 089

Asked: 2014-02-14T08:25:58.453

Viewed: 508 times

Active: 2014-02-14T11:07:58.983