I am looking t run root level command on multiple servers, but all servers have only "su - " permission available in sudoers.
please help me if any way that I can run command using help of "su -"
My script
for hosts in `cat hosts.txt`;
do
echo "###########################Server Name- $hosts ----Ruinng script-Please Wait--- Please wait###########################"
ssh -q -t abc@$hosts sudo -S <<< "abc" systemctl restart crond
done
Error----------
[sudo] password for abc:
Sorry, user abc is not allowed to execute 'systemctl restart crond' as root on xyz.domain1.com
[abc@xyz ~]$ sudo su -c systemctl restart crond
[sudo] password for deepak:
Sorry, user abc is not allowed to execute '/bin/su -c systemctl restart crond' as root on node1.xyz.com.
[abc@xyz ~]$ su -c systemctl restart crond
su: user restart does not exist
Permission in sudoers.............
[abc@xyz ~]$ sudo -l
User abc may run the following commands on xyz:
(root) NOPASSWD: /bin/su -
The privilege you have permits you to become the superuser, but not to directly run anything from your account but as the superuser.
If you can become the superuser, then I presume you are the system administrator (or part of the team) so you should know how to write yourself the appropriate sudo rule. Can you show us what you have tried?
CAUTION - -
If you break the sudo rules, then it is possible to lock yourself out, i.e. if they are invalid then you may not be able to even sudo su - like you can at the moment.
Make sure you have several superuser session already connected before you do this, and better to use the visudo tool too. It protects you somewhat, but it's probably not infallible.
Take copies of any files before you changes them and make sure you have a way and privilege to put them back if you need to. Save the permissions, else sudo may still refuse to run.
If you need to restart crond then you add a rule for that in /etc/sudoers.d/yourfilename
Rules must be added specifically per service using entire restart/stop string e.g systemctl stop crond, systemctl start crond
Best to call filename as user which needs to run the elevated command e.g ansible for instance, but that's a choice.
The more specific you are in your sudo definition, more secure your system is.
Adding custom scripts can be a major attack vector for unauthorized access.
Worst case scenario is using shell redirection capabilities to accomplish such task, opposing configuring your system properly.