如何以系统用户身份运行 bash 命令而不授予该用户以任何用户身份运行命令的权限 [英] How to run the bash command as a system user without giving that user the right to run commands as any user
问题描述
我写了一个包含这一行的 python 脚本:
I have written a python script which includes this line:
response = subprocess.check_output(['/usr/bin/sudo/bin/su - backup -c "/usr/bin/ssh -q -o StrictHostKeyChecking=no %s bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\nmvn --version|grep -i Apache|awk \'{print $3}\'|tr -d \'\n\'\nEOF' % i], shell=True)
这是一个 for 循环,它遍历主机名列表,我想检查每个主机名的结果.当我自己运行它时,这工作正常,但是,此脚本将由系统用户(shinken - nagios fork)运行,此时我遇到了问题.
This is in a for loop that goes through a list of hostnames and each one I want to check the result of the command on it. This works fine when I run it myself, however, this script is to be run by a system user (shinken - a nagios fork) and at that point I hit an issue.
shinken ALL=(ALL) NOPASSWD: ALL
但是,我想限制用户只允许它作为备份用户运行:
However, I wanted to restrict the user to only allow it to run as the backup user:
shinken ALL=(backup) NOPASSWD: ALL
但是当我运行脚本时,我得到:
But when I run the script I get:
sudo: no tty present and no askpass program specified
我已经阅读并尝试了一些方法来修复它.我尝试将 -t 添加到我的 ssh 命令中,但这没有帮助.我相信我应该能够使用类似于以下内容的命令运行命令:
I have read around this and tried a few things to fix it. I tried adding -t to my ssh command, but that didn't help. I believe I should be able to run the command with something similar to:
response = subprocess.check_output(['/usr/bin/sudo -u backup """ "/usr/bin/ssh -q -o StrictHostKeyChecking=no %s bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\njava -version|grep -i version|awk \'{print $3}\'|tr -d \'\n\'\nEOF""" ' % i], shell=True)
但后来我得到了这样的回应:
But then I get this response:
subprocess.CalledProcessError: Command '['/usr/bin/sudo -u backup """ "/usr/bin/ssh -q -o StrictHostKeyChecking=no bamboo-agent-01 bash -s" <<\'EOF\'\nPATH=/usr/local/bin:$PATH\njava -version|grep -i version|awk \'{print $3}\'|tr -d \'\n\'\nEOF""" ']' returned non-zero exit status 1
如果我手动运行命令,我得到:
If I run the command manually I get:
sudo: /usr/bin/ssh: command not found
这很奇怪,因为那是它生活的地方......我不知道我正在尝试的事情是否可行.感谢您的任何建议!
Which is strange because that's where it lives.... I've no idea if what I'm trying is even possible. Thanks for any suggestions!
推荐答案
至于 sudo:
shinken ALL=(backup) NOPASSWD: ALL
...仅当您直接从shinken 切换到backup 时才有效.你不是在这里做的.sudo su -backup 告诉 sudo 切换 到 root,并运行命令 su -backup >作为根.很明显,如果您打算使用 sudo su(我已在别处建议不要使用),您需要您的 /etc/sudoers 配置来支持它.
...only works when you switch directly from shinken to backup. You aren't doing that here. sudo su - backup is telling sudo to switch to root, and to run the command su - backup as root. Obviously, then, if you're going to use sudo su (which I've advised against elsewhere), you need your /etc/sudoers configuration to support that.
因为您的 /etc/sudoers 不允许直接切换到您请求的 root,它试图提示输入密码,这需要 TTY,从而导致失败.
Because your /etc/sudoers isn't allowing direct the switch to root you're requesting, it's trying to prompt for a password, which requires a TTY, which is thus causing a failure.
下面,我正在重写脚本直接从shinken切换到backup,不通过root> 并运行 su:
Below, I'm rewriting the script to switch directly from shinken to backup, without going through root and running su:
至于脚本:
import subprocess
remote_script='''
PATH=/usr/local/bin:$PATH
mvn --version 2>&1 | awk '/Apache/ { print $3 }'
'''
def maven_version_for_host(hostname):
# storing the command lets us pass it when constructing a CalledProcessError later
# could move it directly into the Popen creation if you don't need that.
cmd = [
'sudo', '-u', 'backup', '-i', '--',
'ssh', '-q', '-o', 'StrictHostKeyChecking=no', str(hostname),
'bash -s' # arguments in remote-command position to ssh all get concatenated
# together, so passing them as one command aids clarity.
]
proc = subprocess.Popen(cmd,
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
response, error_string = proc.communicate(remote_script)
if proc.returncode != 0:
raise subprocess.CalledProcessError(proc.returncode, cmd, error_string)
return response.split('\n', 1)[0]
这篇关于如何以系统用户身份运行 bash 命令而不授予该用户以任何用户身份运行命令的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
