Ask Your Question
1

Getting prompted using a sed command in /etc/sudoers.d file

asked 2013-08-04 16:28:48 -0500

zackp gravatar image

updated 2013-08-05 15:03:52 -0500

I would like to add a sed in place file edit command to the /etc/sudoers.d/02jenkins file on a Jenkins CI slave, a Fedora 17 64bit KVM guest, as shown below:

Cmnd_Alias ZOBJS = /bin/sed -e 's@5120@100@' -i /etc/peek/peek.conf

where peek is the name of a locally developed application.

The statement is added using visudo -f 02jenkins.

I have added other, even more complex looking commands for the user jenkins to the 02jenkins file this way successfully

After editing, I did a test:

[root@fedora17-ci sudoers.d]# su - jenkins 
[jenkins@fedora17-ci ~]$ sudo /bin/sed -e 's@5120@100@' -i/etc/ peek/peek.conf 
[sudo] password for jenkins:

What? A prompt for password?

I have double checked quite a few times and can't find what I missed. Oddly, if I just add

Cmnd_Alias ZOBJS = /bin/sed

to the /etc/sudoers.d/02jenkins file, the above test would work. But I don't want the short form. IMHO it's too permissive and thus dangerous.

Thanks for any help.

-- Zack

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2013-08-05 02:41:44 -0500

none gravatar image

updated 2013-08-05 02:42:35 -0500

You can always check, how sudo sees the commands, that user can executed, by executing sudo -l. In your example, you are using ' so bash interprete this, and sudo receive command:

/bin/sed -e s@5120@100@ -i /etc/peek/peek.conf

(without '). And thi couldn't be found in suoders. Try this:

sudo /bin/sed -e \'s@5120@100@\' -i /etc/peek/peek.conf

edit flag offensive delete link more

Comments

1

@Artur Symczak, thanks for responding. The tip about using sudo -l is good. Nevertheless, it may still be confusing. For example: a = is output as \=. The tip regarding escaping the ' character in bash may not work, as sed will complain /bin/sed: -e expression #1, char 1: unknown command: ''. A simple solution seems to just put /bin/sed -e s@5120@100@ -i /etc/peek/peek.conf into the /etc/sudoers.d/02jenkins and use that form in bash too. I now use a different approach which doesn't involve any shell quoting to get the job done.

zackp gravatar imagezackp ( 2013-08-05 11:48:45 -0500 )edit

Question Tools

Stats

Asked: 2013-08-04 16:28:48 -0500

Seen: 1,054 times

Last updated: Aug 05 '13