Command as user

Hello,

How can I execute this pkg command as a user ?

/usr/local/sbin/pkg check -da

Because this is part of a zabbix probe it must run with user zabbix.
But all I get is 'pkg: Insufficient privileges'.
This is for pkg check. If I try pkg info or pkg stats -l it's ok.
So it's no pkg but some privileged pkg options.
 
If you try to run a command as a particular user, please edit and update sudo file using command visudo as a superuser.
Entry can be something like this.

myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow myuser to run command /usr/local/sbin/pkg as root without typing password
sudo /usr/local/sbin/pkg

%mygroup ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow mygroup to run command /usr/local/sbin/pkg as root without typing password
sudo /usr/local/sbin/pkg

You can enter more commands using commas.
/usr/local/sbin/pkg, /usr/bin/find
 
How can I execute this pkg command as a user ?
Running pkg check -da fails as a normal user because it doesn't have write access to the local package database. I don't see a way around this. pkg also enforces the user:group of the package db to be root:wheel. In short: pkg check -da has to be run as root.

myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow myuser to run command /usr/local/sbin/pkg as root without typing password
sudo /usr/local/sbin/pkg

%mygroup ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow mygroup to run command /usr/local/sbin/pkg as root without typing password
sudo /usr/local/sbin/pkg
These rules don't restrict much. Do not do this. It's very easy to get a root shell as myuser this way by just running sudo pkg shell then .system /bin/csh. Might as well just use
Code:
myuser ALL=(ALL) NOPASSWD: ALL
at that point.

I think it would be safer to create a wrapper script (writable by root only) around pkg check -da and then use it instead of directly using /usr/local/sbin/pkg in the solution IPTRACE has suggested.
 
tobik, what do you prefer to use instead sudo? I mean not only pkg but others apps.
I don't want to add user to wheel group or log in as root.
 
Mainly I work as unprivileged user (no root or wheel group).
Sometime I have to run command with root privilages and don't want to log in as root exactly or add my user to wheel group.
That's my one of the security rule.

So I decided to use sudo with some apps (find, crontab, chmod etc.) which I can run as root.
I locked to log in as root except single user mode.
 
Code:
myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg

These rules don't restrict much. Do not do this.

This would be much better:
Code:
myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg check -da

Be very careful with sudo(8). I've seen stupid things like this too:
Code:
myuser ALL=(root) NOPASSWD: /usr/bin/vi /etc/somefile.conf
vi(1) allows running a shell (:!/bin/sh) so you can effectively break out of the restriction. Same goes for commands like less(1) (also allows running a shell).

If you need to allow editing of a file through sudo(8) use something like this:
Code:
myuser ALL=(root) NOPASSWD: sudoedit /etc/somefile.conf
This would allow you to edit the file safely with sudo -e /etc/somefile.conf.
 
Thanks.
So the problem is not with sudo but with app which allow to run exp. shell. Am I right?
Every app is potential exploiting of the system?
 
Careful with the * there.
Code:
     Wildcards in command line arguments should be used with care.
     Command line arguments are matched as a single, concatenated string.
     This mean a wildcard character such as `?' or `*' will match across word
     boundaries, which may be unexpected.  For example, while a sudoers entry
     like:

         %operator ALL = /bin/cat /var/log/messages*

     will allow command like:

         $ sudo cat /var/log/messages.1

     It will also allow:

         $ sudo cat /var/log/messages /etc/shadow

     which is probably not what was intended.  In most cases it is better to
     do command line processing outside of the sudoers file in a scripting
     language.

In this case it would also allow the -exec option of find(1).
 
Back
Top