Then answer is that sudo has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file:
zabbix ALL=(root) NOPASSWD: /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery
and now subcommands called from zabbix_raid_discovery work.
A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:
This is just a case of "it's always been like that". There's not
really a good reason for it. The diff below should make the behavior
match the documentation.
- todd
diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
CHECK_SETENV2("USERNAME", runas_pw->pw_name,
ISSET(didvar, DID_USERNAME), true);
} else {
- if (!ISSET(didvar, DID_SHELL))
- CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
/* We will set LOGNAME later in the def_set_logname case. */
if (!def_set_logname) {
if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
if (!env_should_delete(*ep)) {
if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
ps1 = *ep + 5;
+ else if (strncmp(*ep, "SHELL=", 6) == 0)
+ SET(didvar, DID_SHELL);
else if (strncmp(*ep, "PATH=", 5) == 0)
SET(didvar, DID_PATH);
else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
if (reset_home)
CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);
- /* Provide default values for $TERM and $PATH if they are not set. */
+ /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+ if (!ISSET(didvar, DID_SHELL))
+ CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
if (!ISSET(didvar, DID_TERM))
CHECK_PUTENV("TERM=unknown", false, false);
if (!ISSET(didvar, DID_PATH))
The point of the nologin shell is to prevent the user from logging in. Such a user may still use your server services like FTP, IMAP/POP3 and others but they won't be able to login e.g. using sshd or console, period.
How do I switch from root to a user with a nologin shell?
sudo -u USERNAME /bin/bash
Will work but only root can do that.
Best Answer
This is a typical use case for
sudo.You're mixing
sudowhich allows running commands as another user and is highly configurable (you can selectively specify which user can run which command as which user) andsuwhich switches to another user if you know the password (or are root).sualways runs the shell written in/etc/passwd, even ifsu -cis used. Because of thissuisn't compatible with/usr/sbin/nologin.You should use
sudo -u secure /home/someuser/secure.scriptAs
sudois configurable you can control who can use this command and if he/she needs to enter a password to run it. You need to edit/etc/sudoersusingvisudoto do this. (Be careful when editing /etc/sudoers and always use visudo to do it. The syntax isn't trivial and one error can lock you out from your root account.)This line in sudoers allows anyone in group
somegroupto run the command assecure:This allows anyone in group
somegroupto run the command assecurewithout entering a password:This allows
user1to run the command assecurewithout entering a password: