PDA

View Full Version : Need sudo help: allow command ONLY with specific switches/options



premudriy
10th August 2008, 08:13 AM
Hi friends!


I've read through numerous sudo tutorials, but couldn't find a solution to my need:

I need to allow a certain user to run ONLY a specific command and ONLY with specific switches/options. For example:I want that user to be able to pull out hard drive temperature from S.M.A.R.T. (I don't want to use hddtemp or sensors daemons) with this command:


smartctl -a /dev/sda | grep Temp | cut -c88-89

I don't want user to have access to any other functions of "smartctl", so he wouldn't be able to use for example "smartctl -a"



Thank you very much!

w5set
10th August 2008, 08:55 AM
Could you use the command alias ??
man alias

premudriy
10th August 2008, 09:15 AM
Hi w5set,

Ok, lets say I create an alias for "smartctl -a /dev/sda | grep Temp | cut -c88-89" and call it "gethddtemp" or so.
smartctl needs root privileges to run. If I add smartctl into sudoers file for a specific user, then he will be able to run smartctl with any other switches/options, which I'm trying to avoid.


Any other ideas? Am I misunderstanding something?

Thanks!

scottro
10th August 2008, 09:34 AM
Untested, but this should probably work.

User john. In his $HOME/.bashrc
smartctl='smartctl -a /dev/sda | grep Temp | cut -c88-89'

(I tend to use single quotes for this sort of alias, but double quotes should also work.)

In /etc/sudoers
john ALL=(ALL) /usr/sbin/smartctl

The ALL means all machines, I'm not sure how many machines are involved.

premudriy
10th August 2008, 09:51 AM
Hello scottro, I did


...

User john. In his $HOME/.bashrc
smartctl='smartctl -a /dev/sda | grep Temp | cut -c88-89'

(I tend to use single quotes for this sort of alias, but double quotes should also work.)

In /etc/sudoers
john ALL=(ALL) /usr/sbin/smartctl

...

Unfortunately user is now able to use all other switches of smartctl, which I don't want him to do.


Any other possible ways out?

scottro
10th August 2008, 09:55 AM
Grr. I thought that would work.
I guess the thing to do is try your other idea, create an alias with a different name, then give him privileges for that command. I'm not sure if that will work either though.

EDIT--another thought, though it's very late here, and this might be a waste of your time. Create a shell script that does the smartctl command with the switches you want. Then, give him the rights to that shell script. So if the script just reads

#!/bin/sh
/usr/sbin/smartctl (various switches)

and you call it something, like smartswitch.sh (as I said, it's very late here and I can't think of a good name) put it in /usr/sbin then give him rights to that shell in /etc/sudoers, it might do what you want.

premudriy
10th August 2008, 10:13 AM
Grr. I thought that would work.
I guess the thing to do is try your other idea, create an alias with a different name, then give him privileges for that command. I'm not sure if that will work either though.


Well, scottro, I can't put an alias to the sudoers file like "user ALL=(ALL) gethddtemp" <-this results in error saving sudoers file. The only way is to put the actual /usr/sbin/smartctl into the sudoers file, but in that case user will be able to access all features of smartctl command. which is total bummer in my case. No go on this one :(


Any other suggestions?



Thanks

premudriy
10th August 2008, 10:37 AM
Grr. EDIT--another thought, though it's very late here, and this might be a waste of your time. Create a shell script that does the smartctl command with the switches you want. Then, give him the rights to that shell script. So if the script just reads

#!/bin/sh
/usr/sbin/smartctl (various switches)

and you call it something, like smartswitch.sh (as I said, it's very late here and I can't think of a good name) put it in /usr/sbin then give him rights to that shell in /etc/sudoers, it might do what you want.

It worth to try it. I'm going to do it now. The only question I have is: Do I have to change that shell script with chmod to make it an executable? It just popped up in my head because somewhere long time ago I remember a tutorial where script had to be made executable. I don't remember how to use chmod to make script executable. I'll report on my trials in a few minutes.

premudriy
10th August 2008, 11:13 AM
Some good news!

I've created file "gethddtemp" in /usr/sbin and put inside


#!/bin/sh
/usr/sbin/smartctl (various switches)

just like scottro said. Then I've used "chmod a+x gethddtemp" and turned it into executable. Finally, I've added acced to "gethddtemp" into sudoers file for my specific user, and also made so he doesn't need to use password.
Now all he has to do is type "sudo /usr/sbin/gethddtemp" and numerical value of temperature is returned.


Still, if anyone will find how to do it PURELY with sudoers file, please, let me know. I'll make this "gethddtemp" command invoked after specific time intervals, so having to run a script every time when command gets invoked is kind of lame, especially if time interval is 1 second or so. Getting rid of having to run script is my next goal.


Nevertheless, it's the closest solution for now, so, thanks you, scottro, very much!

scottro
10th August 2008, 11:24 AM
Glad it worked.