Then answer is that sudo
has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file
:
zabbix ALL=(root) NOPASSWD: /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery
and now subcommands called from zabbix_raid_discovery
work.
A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:
This is just a case of "it's always been like that". There's not
really a good reason for it. The diff below should make the behavior
match the documentation.
- todd
diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
CHECK_SETENV2("USERNAME", runas_pw->pw_name,
ISSET(didvar, DID_USERNAME), true);
} else {
- if (!ISSET(didvar, DID_SHELL))
- CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
/* We will set LOGNAME later in the def_set_logname case. */
if (!def_set_logname) {
if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
if (!env_should_delete(*ep)) {
if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
ps1 = *ep + 5;
+ else if (strncmp(*ep, "SHELL=", 6) == 0)
+ SET(didvar, DID_SHELL);
else if (strncmp(*ep, "PATH=", 5) == 0)
SET(didvar, DID_PATH);
else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
if (reset_home)
CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);
- /* Provide default values for $TERM and $PATH if they are not set. */
+ /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+ if (!ISSET(didvar, DID_SHELL))
+ CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
if (!ISSET(didvar, DID_TERM))
CHECK_PUTENV("TERM=unknown", false, false);
if (!ISSET(didvar, DID_PATH))
The point of the nologin
shell is to prevent the user from logging in. Such a user may still use your server services like FTP, IMAP/POP3 and others but they won't be able to login e.g. using sshd or console, period.
How do I switch from root to a user with a nologin shell?
sudo -u USERNAME /bin/bash
Will work but only root can do that.
Best Answer
This is a typical use case for
sudo
.You're mixing
sudo
which allows running commands as another user and is highly configurable (you can selectively specify which user can run which command as which user) andsu
which switches to another user if you know the password (or are root).su
always runs the shell written in/etc/passwd
, even ifsu -c
is used. Because of thissu
isn't compatible with/usr/sbin/nologin
.You should use
sudo -u secure /home/someuser/secure.script
As
sudo
is configurable you can control who can use this command and if he/she needs to enter a password to run it. You need to edit/etc/sudoers
usingvisudo
to do this. (Be careful when editing /etc/sudoers and always use visudo to do it. The syntax isn't trivial and one error can lock you out from your root account.)This line in sudoers allows anyone in group
somegroup
to run the command assecure
:This allows anyone in group
somegroup
to run the command assecure
without entering a password:This allows
user1
to run the command assecure
without entering a password: