Thursday, May 01, 2008

Complex commands with sudo

I've heard all the excuses for why someone issued a "sudo su -" command, and instantiated a shell that no longer tracked their actions. Of course we can argue about how to configure sudo so that problem goes away, but what if you have a lenient sudoers configuration?

The problem usually occurs when you need to redirect output. For example:

# tar cvf - /etc/ | gzip -c > /protected_dir/etc_backup.tgz


Or, the one which I just used, and reminded me that this deserves a quick posting:

# m4 somefile.m4 > newfile.cf


Both of these will fail if the target directory is one that your user ID does not have permission to write to. In many cases, the frustrated SA will simply use sudo to "su" to the root user and perform the command there. But we Solaris Jedi know that this is simply a temptation of the dark side pulling at a time when you need to get work done.

The right thing to do is create a subshell that executes the command. Returning to the above examples, the right instantiation would be:

# sudo sh -c "m4 somefile.mc > somefile.cf"
# sudo sh -c "tar cvf - /etc | gzip -c > /protected_dir/etc_backup.tgz"


Works like a charm. That being said, I'm much more an advocate for using RBAC on Solaris, but I'm going to fight the power of scope creep on this posting and stick with sudo.

2 comments:

tony said...

I, for one, would very much like to see a post on RBAC. I'm working to move my group from using 'su -' or 'sudo' to RBAC and would like to know how you have gone about it.

Great posts. Please keep it up. Thanks.
Tony.

Christopher Hubbell said...

I have something along those lines cooking right now. Stay tuned!