Environment variables when using sudo 1

[Mthales]

Hi,
I have a script that makes a connection via ssh and does some work. This script is very successful if it is run by a "standard user" who has the ssh keys set up in their home directory so the ssh does not require them to enter a password.

My problem is now that I'm trying to enable this script to be used from another user who cannot ssh. What I want to do is set it so this other user can use a command like this:
"sudo -u <standard user> script_name"

I have the sudoers set up so this user can use sudo on this script without a password.

My problem is that I can't get the ssh working.

Can anyone offer some advice?
Thanks
M


--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

I've just created a test script to does an ssh hostname date under one user, created a sudo rule to run it from another user and tested it successfully.

How exactly does it fail? Any errors? Or does it just prompt for the SSH password? What does your sudoers entry look like?

Annihilannic.

 

[Mthales]

Thanks for the time you have spent thinking about this - it's just that it prompts for the ssh password which messes up the script. So it's not giving any errors and I know I'm close to getting it working.

my sudoers entry looks like:

<limited user> All=(<normal user>) NOPASSWD: <full path to script>

Does that seem sensible?
M

--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

Are you certain it's ssh prompting for the password and not sudo? Maybe echo some text at the beginning of your script to make sure (i.e. if it comes up before the password prompt then it's definitely ssh).

Your sudo entry looks good though. What OSs? sudo version? SSH version?

Annihilannic.

 

[Mthales]

Thanks for the suggestion about the output from the script - you were right it was the sudo that was asking for the password not the ssh!
So I'm feeling like the sudoers entry is wrong, but I don't see how. Does the path put in the sudo command have to exactly match that in the entry or something?

What I'm working with is:
Linux 2.6.5-7.201-rtgfx #1 SMP Sat Sep 24 09:15:55 PDT 2005 ia64 ia64 ia64 GNU/Linux (from uname -a)
Sudo version 1.6.7p5
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004

M


--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

Yes, the path has to match exactly, I always use full paths when using sudo, both when defining the sudo rule and when running the command. Are there any parameters to the script?

Annihilannic.

 

[Mthales]

OK now I have the paths matching exactly in the definition and the sudo command. And I've removed the parameters to the script. Also when I do sudo -l from the limited user I can see the definition line.

I feel like I've missed something really simple because it seems like if I test the sudo in a way so I can enter the password that works and then directly after if I try it again it doesn't ask for a password.

Is there some other sudo option or mode on the script file I should be adding?

M

--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

Your sudo rule doesn't seem to be working. The strange password behaviour you are seeing is normal for sudo... it caches a correct password entry so that you can run a command subsequently without re-entering the password.

I think ALL might have to be in capitals?

Here is my /etc/sudoers entry, paraphrased.

[tt]nonprivileged LOCAL = (privileged) NOPASSWD: /users/privileged/tektips/sudossh[/tt]

Annihilannic.

 

[Mthales]

I'm glad at least some of what I'm seeing is "normal" behaviour!

You are right about the all needing to be capitalised, but that is actually what I have. (I should pay more attention to copying examples better.)

Do you (or anyone else) have any other ideas as to why this line is not working correctly? Is the entry white space sensitive? Is there something I need to do to make the changed entry be "implemented"?

M

--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

Are you using the visudo command to edit it? That performs validation of the syntax before allowing you to save the updated file.

Annihilannic.

 

[Mthales]

Yes I am using visudo and when I use the -c option it says the "/etc/sudoers file parsed OK".
Just for clarity the exact line I have in my file currently is

[URL unfurl="true"]wwwrun[/URL]  ALL=(ALL)       NOPASSWD:/srv/[URL unfurl="true"]www/htdocs/scan/includes/scan_scripts/test_run[/URL]

M

--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.

 

[Annihilannic]

Have a look at the TROUBLESHOOTING file that comes with sudo for some ideas (do a rpm -ql sudo to locate it).

Some possiblities in that file are to enable syslog logging for the local2 facility, which might help you identify the problem. It also describes a method to disable password authentication completely.

Also all of our entries have spaces after 'NOPASSWD:'. It doesn't seem to make a difference, but try it I guess.

Annihilannic.

 

[Mthales]

Thank you very much for your help the system log showed up what the problem was TTY=Unknown when sudo was configured not to allow this.
So it's been reconfigured and now works! :-D

Thanks again
M

--------------------------------------
My doctor says that I have a malformed public-duty gland and that I am therefore excused from saving universes.