Help Writing Sudoers Command Alias Complex Command

danmartinj · 04-19-2020, 11:27 AM

Hello All,

I have been trying to figure out how to get a complex command to work in the sudoers file over the past couple days using visudo but have failed and I do not know what else to try.

Basically, the command I want to work is this:

Code:

lsmod | grep -q _conntrack_ipv4 && iptables -L -n -v -t nat

And a couple others but I figure if I can get at least one to work the others will not be so hard.

I have a test user created and can get some other commands to work with sudo such as:

Code:

testuser ALL = (root) NOPASSWD: /usr/bin/cat /sys/kernel/debug/x86/pti_enabled, /usr/sbin/dmidecode

However, for the more complex commands I need to get to work it does not. I have tried using things like wild cards (*), played around with using quotes (" commandline args ..."), and etc but looking in the log files it looks like it is only seeing just the initial command before the pipe and nothing else:

Code:

sudo: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/sbin/lsmod

So, perhaps someone else can provide me some advise or help as it would be greatly appreciated right now.

Thanks,
Joe

shruggy · 04-19-2020, 11:38 AM

Just put the commands into a shell script, put the script into /usr/local/sbin and reference it from sudoers.

ehartman · 04-19-2020, 11:51 AM

Quote:

Originally Posted by danmartinj

it looks like it is only seeing just the initial command before the pipe and nothing else:

As far as I know sudoers does NOT use a shell, unless you specify a shell script (with a starting shebang en.wikipedia.org/wiki/Shebang_%28Unix%29 to specify the shell) to execute, so shell constructs like pipelines, redirection, command concatenation and/or wildcards are not available TO it. It rather specifically looks at the command you have given in the suduers file itself.

pan64 · 04-19-2020, 01:26 PM

additionally you do not need to sudo grep:

Code:

sudo <your command> | grep whatever

may work and you only need to use sudo for <your command>

The best advice (just to underline it) is to write a shell script and use sudo to execute it.

danmartinj · 04-19-2020, 04:35 PM

Hello,

Thanks for the great comments as now it does make sense to me what the problem is and I feel like there is not solution by just editing the sudoers file. However, I am not sure I like the idea of creating a dedicated shell script either. I have been trying to create a command alias in the test users .bashrc file as some kind of middle ground but so far it has not yet been working. Does everyone think this should work at least?

shruggy · 04-19-2020, 05:22 PM

As ehartman stated above sudoers doesn't use a shell. Thus, it knows nothing about shell aliases. Moreover, sudo is very restrictive about command environment and by default inherits only a few environment variables from the user.

You may use shell-style wildcards when specifying commands in sudoers though, but be aware of some quirks. From sudoers(5) manpage:

Quote:

Note that the following characters must be escaped with a ‘\’ if they are used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’.

Quote:

Character classes may be used if your system's glob(3) and fnmatch(3) functions support them. However, because the ‘:’ character has special meaning in sudoers, it must be escaped. For example:

Code:

/bin/ls [[\:alpha\:]]*

Would match any file name beginning with a letter.

Note that a forward slash (‘/’) will not be matched by wildcards used in the file name portion of the command. This is to make a path like:

Code:

/usr/bin/*

match /usr/bin/who but not /usr/bin/X11/xterm.

When matching the command line arguments, however, a slash does get matched by wildcards since command line arguments may contain arbitrary strings and not just path names.

Wildcards in command line arguments should be used with care.
Command line arguments are matched as a single, concatenated string. This mean a wildcard character such as ‘?’ or ‘*’ will match across word boundaries, which may be unexpected. For example, while a sudoers entry like:

Code:

%operator ALL = /bin/cat /var/log/messages*

will allow command like:

Code:

$ sudo cat /var/log/messages.1

It will also allow:

Code:

$ sudo cat /var/log/messages /etc/shadow

which is probably not what was intended. In most cases it is better to do command line processing outside of the sudoers file in a scripting language.

As you can see, even if wildcards are allowed in command arguments in sudoers, using them there is not the best idea.

But putting all that aside, just imagine security implications of shell aliases being allowed in sudoers. They are controlled by user and could be changed on whim. How about alias lsmod='rm -rf /'?

MadeInGermany · 04-19-2020, 11:58 PM

A sudo script must be protected. I.e. root-owned, and stored at a root-owned location like /usr/local/bin/.

Alternatively use sudo for each sub-command:

Code:

sudo lsmod | grep -q _conntrack_ipv4 && sudo iptables -L -n -v -t nat

This can be stored in a script or alias without further protection.
Sudoers example:

Code:

%operator ALL = /usr/sbin/lsmod, /usr/sbin/iptables -L *

pan64 · 04-20-2020, 12:41 AM

I wouldn't recommend you anything in ~user/.bashrc because the user (owner) can modify it. Also alias is not a good idea, because it is not handled very well among different shells (for example when sudo was executed).

Turbocapitalist · 04-20-2020, 12:46 AM

Quote:

Originally Posted by danmartinj

Hello,

Thanks for the great comments as now it does make sense to me what the problem is and I feel like there is not solution by just editing the sudoers file. However, I am not sure I like the idea of creating a dedicated shell script either. I have been trying to create a command alias in the test users .bashrc file as some kind of middle ground but so far it has not yet been working. Does everyone think this should work at least?

I'd reiterate what has been written already: writing a short script is the way to accomplish your task and, specifically, that script must be not be writable in any way, directly or indirectly, by any other account than root. So keeping it in /usr/local/bin/ or /usr/local/sbin/ would be one good choice, since that's where scripts generally go anyway: A place for everything and everything in its place, see "man hier".

Scripting is a useful and important part of using the computer. It might seem challenging at first but it's not hard once you get familiar with the process.

ehartman · 04-20-2020, 02:26 AM

Quote:

Originally Posted by shruggy

You may use shell-style wildcards when specifying commands in sudoers though, but be aware of some quirks.

Didn't know that. Thanks!
But I'm not really a sudo user, so I do not go that deep into the sudoers file.

danmartinj · 04-20-2020, 02:17 PM

Quote:

Alternatively use sudo for each sub-command:

MadeInGermany has a good idea. However, I tried that and it does not work. I believe the pipe (I) and And (&&) breaks this functionality. Basically from my understanding you can only alias a single command from the sudoers file. This means that no other shell functionality will work and so breaking up the original command will not work.

Honestly, in my case another application is running the:

sudo lsmod | grep -q _conntrack_ipv4 && sudo iptables -L -n -v -t nat

which means that application has to run that command exactly and cannot run a separate script unless that script is aliased as was my last idea I tried.

So, at this time my feeling is what I am trying to do cannot be done as the more I think about it creating a script and aliasing from a users profile does not seem like a valid solution either. If someone else has any other ideas please let me know. Either way thanks again for everyone's time as I definitely have learned from this.

Joe

ehartman · 04-20-2020, 05:52 PM

Quote:

Originally Posted by danmartinj

cannot run a separate script unless that script is aliased as was my last idea I tried.

Aliasing is a shell function too (and is rather "which shell" dependant). So you cannot use any aliases in a sudoers file.
And - for instance - sourcing an executable through the PATH is a shell task too, the sudoers file need absolute paths to the commands to be executed.

pan64 · 04-21-2020, 12:07 AM

I would suggest you to write a script like this (put into /usr/local/bin/myscript):

Code:

mode=$1
shift
function iptables_func() {
    .....
}

case $mode in
   lsmod) (call its own function) 
   iptables) iptables_func "$@";;
   ....
   *) echo "incorrect mode" >&2; exit 1;;
esac

invoke it like this: myscript <subcommand> <arguments>
and you can make alias for the users like:

Code:

alias iptables=sudo /usr/local/bin/myscript iptables

and it will invoke the function you put into that script (as root).