Having a bit of a discussion with a software vendor about this. Can anyone confirm my understanding?
/etc/sudoers file example:-
user1 server1 = NOPASSWD:/usr/bin/ls -l
user1 server1 = NOPASSWD:/usr/bin/file
But then the following command fails (logged in on server 1 as user1) because its not in sudoers file.
sudo java abc.jar
Surely this is correct? You can't sudo a command unless you have appropriate permissions in /etc/sudoers? Am I right?
Yes, you have granted user1 the privilege to use sudo and run ls -l and /usr/bin/file only. Everything else would be rejected.
You would need a line that allows user1 to run java, so you are correct.
Kind regards,
Robin
sudo java abc.jar
I'd recommend being really careful about what's in abc.jar and/or which abc.jar the user is allowed to run under sudo.
Because anyone who knows even a little Java programming will be able to create a JAR file that does anything they want. Allowing sudo access to Java is awfully close to giving the users full access to root if they want it.
You're probably a lot better off writing a wrapper script, limiting write access to that script to root only, making sure the environment variables are all clean, and then giving sudo access to that wrapper script instead of allowing sudo to run Java directly.