sudoers file for rvmsudo passenger-install-apache2-module

StackOverflow https://stackoverflow.com/questions/13923611

Pergunta

BACKGROUND:

I have an application that is freshly deployed every day -- a VM is created, and then root for that system creates a "systemuser", which then installs the application.

It's running:

  • CentOS 6
  • RVM
  • Ruby 1.8.7 on Rails
  • passenger

The way it's set up, I have to have Ruby on Rails install itself, and install passenger. To this end the user running the service has sudo powers, but the intention is to only allow the commands needed during installation. For security and maintainability reasons we cannot put the sudo password in the script.

my /etc/sudoers includes:

systemuser ALL = NOPASSWD: /usr/bin/env, /bin/bash, /usr/local/rvm/rubies/ruby-1.8.7-p358/bin/gem, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *

THE PROBLEM:

Until recently a variant of this worked great. However recently something changed somewhere (?) and the rvmsudo command no longer executes without a password prompt.

$ rvmsudo passenger-install-apache2-module

 We trust you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

 [sudo] password for systemuser:

THE QUESTION:

What is the minimal set of commands that should be in /etc/sudoers to install rvm, ruby, bundler/gem, and then passenger2 on apache?

Yes, I've read the "documentation" at https://rvm.io/integration/passenger/

Creative solutions welcomed! I realize one may say this looks like a pretty hacky system, and I'd agree with you. But at the moment it's hard for me to improve it without understanding what commands are being run by this passenger install script.

Removing "env" and "bash" from the front and adding "rvm" gets a little farther:

systemuser ALL = NOPASSWD: /usr/local/rvm/bin/rvmsudo, /usr/local/rvm/gems/ruby-1.8.7-p358/bin/passenger-install-apache2-module, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *

running this:

$ rvmsudo passenger-install-apache2-module
[sudo] password for systemuser:

Thanks for your attention!

Foi útil?

Solução

/usr/bin/env is a router allowing to run any command, the same for /bin/bash, you would have to add which passenger-install-apache2-module instead of them.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top