Allow complex sudo command on Debian Linux

linux debian sudo

I disagree with lain. Although it will work, You do not need awk to run as root. I would not be comfortable with this because you might be able to attack awk in some way. It is a full programming language interpreter after all.

When one runs sudo /usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}', They are actually running sudo /usr/bin/apt-get --print-uris -qq -y upgrade and then piping/redirecting as the calling user.

Try this: zabbix ALL=NOPASSWD: /usr/bin/apt-get --print-uris -qq -y upgrade

By the way, there is nothing wrong with putting this in a script as lain does and you could still do that. I would just avoid running awk as root if possible.


You are probably falling foul of the way that redirection interacts with sudo. The redirection is performed at the calling user not the privileged user. It would probably be easier for you to wrap you command in a script and to then allow the zabbix user to run that script e.g.

#!/bin/bash
/usr/bin/apt-get --print-uris -qq -y upgrade 2>/dev/null |awk '{print $2}' | wc | awk '{print $1}'

the set sudoers as

zabbix  ALL=NOPASSWD: /path/to/script

Now the whole script will be run as the privileged user and not just the particular apt-get command. Do though ensure that the zabbix user cannot write to the script.

Related

Guidelines for the maximum number of disks in a RAID set?
Real benefits of serial console servers (with modern server hardware)?
Knife SSH doesn't find my nodes
How to disable TLS 1.1 & 1.2 in Apache?
Are network switch data transfer speed limits per port or per device?
Can Subgroups be created in Gitlab?
NGINX Proxy_Pass remove url substring
Does Supermicro IPMI require OnBoard video to be enabled?
Windows Server 2008 R2, no internet time tab
ssh hangs without password prompt -- works in root or other accounts
Best method to track folder size growth over time?
How to point 2 different domains to 1 IP address (Apache)?