REX using SUDO

Hello guys,
I see when I use SUDO with REX in an Errate installation or run a Command remote, Foreman/Katello uses SUDO without sh before the script, unfortunately in my company the SUDO template only allows execution prefixing “sh” before the script.

Look here the SUDO log (using REX):

Apr 28 20:53:13 : rexuser : command not allowed ; TTY=pts/1 ;
PWD=/home/rexuser ; USER=root ;

And here for example another attempt, using sh command before the script, it is allowed (executed manually in order to test):

Apr 28 20:57:33 : itbipat1 : TTY=pts/1 ; PWD=/home/itbipat1 ; USER=root ;
COMMAND=/usr/bin/sh /var/tmp/

My question here is, Is there a way to modify the template or the REX to prefixing the “sh” command?

No, not currently. It would have to be changed in the code.

In theory it could be worked around if you’re allowed to use sudo without a password, but otherwise no.

Okay, I understand it. It should be considered as enhance in the next update. Please take it into consideration.

But if you allow people to do sudo sh then they can trivially run any command, no? What’s the point then?

1 Like