I am required to use a program in a git pre-receive hook, which program can only be run as root. The program is called with a variety of arguments determined during runtime (which cannot be anticipated), but I am loathe to include globbing in an /etc/sudoers entry.
As such, I've tried adding either of the following lines to /etc/sudoers:
<system_user> ALL=(root) NOPASSWD: /path/to/script
or
<system_user> ALL=(root) NOPASSWD: /usr/bin/bash
/path/to/script
and running sudo /path/to/script or sudo /usr/bin/bash /path/to/script accordingly. Either way, I get a Permission denied error when an external command is reached in the script. I've reproduced the behaviour with the very small script below. An equivalent script with cat (/usr/bin/cat/) causes the same error, whereas echo (shell builtin) works as expected. A user with unrestricted sudo access running the script via sudo receives, of course, the output 0.
[<my_user>@<host> ~] $ sudo grep <system_user> /etc/sudoers
<system_user> ALL=(root) NOPASSWD: /usr/bin/bash /path/to/script
[<my_user>@<host> ~] $ ls -l /path/to/script
-rwxr-x---. 1 root root 6 Jun 4 18:24 /path/to/script
[<my_user>@<host> ~] $ sudo cat /path/to/script
id -u
[<my_user>@<host> ~] $ sudo -u <system_user> sudo /usr/bin/bash /path/to/script
/path/to/script: line 1: /bin/id: Permission denied
[<my_user>@<host> ~] $ sudo -iu <system_user>
[<system_user>@<host> ~]$ sudo /usr/bin/bash /path/to/script
/path/to/script: line 1: /bin/id: Permission denied
I don't see any error in /var/log/secure (see next block), unless it's not normal that the username and uid not match.
Jun 4 15:53:17 <host> sudo[212263]: <system_user> : TTY=pts/2 ; PWD=/working/dir ; USER=root ; COMMAND=/usr/bin/bash /path/to/script
Jun 4 15:53:17 <host> sudo[212263]: pam_unix(sudo:session): session opened for user root by <my_user>(uid=<system_user_uid>)
Jun 4 15:53:17 <host> sudo[212263]: pam_unix(sudo:session): session closed for user root
Is there any way to restrict system_user's root abilities to running one script as root, including external commands called therein (ie. without explicitly allowing every invocation of cat, awk etc. the script could use)? I'd also appreciate any attempt to explain the error :)
$ sudo --version
Sudo version 1.9.5p2
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2
$ head -2 /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
[<my_user>@<host> ~] $ which id
/usr/bin/id
[<my_user>@<host> ~] $ sudo which id
/bin/id
[<my_user>@<host> ~] $ ls -l /bin/id
-rwxr-xr-x. 1 root root 46576 Jan 6 2023 /bin/id
[<my_user>@<host> ~] $ namei -lvx /bin/id
f: /bin/id
Dr-xr-xr-x root root /
lrwxrwxrwx root root bin -> usr/bin
drwxr-xr-x root root usr
dr-xr-xr-x root root bin
-rwxr-xr-x root root id
system_usercan't run /bin/id, then what has that got to do withsudo?grep -r noexec /etc/sudoers /etc/sudoers.d/sestatusto your question, seeing as you're on RHEL?