How to run root level command , if user has "su -" permission in sudoers provided?

yash_message · January 22, 2020, 12:01pm

I am looking t run root level command on multiple servers, but all servers have only "su - " permission available in sudoers.
please help me if any way that I can run command using help of "su -"

My script

for hosts in `cat hosts.txt`;
do
echo "###########################Server Name- $hosts ----Ruinng script-Please Wait--- Please wait###########################"
ssh -q -t  abc@$hosts sudo -S <<< "abc" systemctl restart crond
done

Error----------

[sudo] password for abc:
Sorry, user abc is not allowed to execute 'systemctl restart crond' as root on xyz.domain1.com

    
[abc@localhost ~]$ sudo -l
(root) NOPASSWD: /bin/su -

sea · January 22, 2020, 1:51pm

Hi, have you tried: su -c "<cmd>"

hth

yash_message · January 26, 2020, 11:53am

Tried, getting same permission error

[abc@xyz ~]$ sudo su -c  systemctl restart crond
[sudo] password for deepak:
Sorry, user abc is not allowed to execute '/bin/su -c systemctl restart crond' as root on node1.xyz.com.

[abc@xyz ~]$  su -c  systemctl restart crond
su: user restart does not exist

Permission in sudoers.............

[abc@xyz ~]$ sudo -l
User abc may run the following commands on xyz:
    (root) NOPASSWD: /bin/su -

MadeInGermany · January 26, 2020, 2:00pm

That means you must exactly run sudo su - .
The following is an attempt to feed that with the desired command

for host in `cat hosts.txt`
do
  echo "###########################Server Name- $host ----Running script-Please Wait--- Please wait###########################"
  ssh -q -x -t  abc@$host "sudo su -" <<< "systemctl restart crond"
done

rbatte1 · January 27, 2020, 8:28am

The privilege you have permits you to become the superuser, but not to directly run anything from your account but as the superuser.

If you can become the superuser, then I presume you are the system administrator (or part of the team) so you should know how to write yourself the appropriate sudo rule. Can you show us what you have tried?

- CAUTION - -
  If you break the sudo rules, then it is possible to lock yourself out, i.e. if they are invalid then you may not be able to even sudo su - like you can at the moment.
  Make sure you have several superuser session already connected before you do this, and better to use the visudo tool too. It protects you somewhat, but it's probably not infallible.
  Take copies of any files before you changes them and make sure you have a way and privilege to put them back if you need to. Save the permissions, else sudo may still refuse to run.

Peasant · January 27, 2020, 10:23am

If you need to restart crond then you add a rule for that in /etc/sudoers.d/yourfilename
Rules must be added specifically per service using entire restart/stop string e.g systemctl stop crond, systemctl start crond
Best to call filename as user which needs to run the elevated command e.g ansible for instance, but that's a choice.

The more specific you are in your sudo definition, more secure your system is.
Adding custom scripts can be a major attack vector for unauthorized access.

Worst case scenario is using shell redirection capabilities to accomplish such task, opposing configuring your system properly.

But each to his own, as they say

Regards
Peasant.