So I have a user in my box, dedicated only to run database dump from our oracle database. All they have to do, is to execute a specific command, with specific parameters and attributes. The problem is, that particular executable can only be run by the owner of the database, in this particular case, “oracle”. Obviously for security reasons, I can’t give anyone the right to execute the dump command, nor can I put the backup account into oracle group. Giving the backup operator the right to execute the command directly would mean that the backup operator is allowed to use different parameters, which would potentially leads to trouble.
If you have a similar case, where you need to give certain account the right to execute only certain commands or scripts, my example may be applicable
So first thing I need to do is to put the dump command and parameters into a single script, so that the backup operator only need to execute that single script. For the purpose of this article, this is what they need to execute:
/backupscript/daily-dmp.sh
Next, you need to make sure that you know the password for “root”. Why? Because when you screw the sudoers file up, you can’t use sudo, and you’ll need to drop down to root shell to repair the damage. Usually, for most ubuntu users, root password is not set out of the box. Also, backup the sudoers file before making any changes.
Edit the sudoers file by doing:
sudo visudo
This is how my sudoers look like:
# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification User_Alias BKPOP = dmpuser # Cmnd alias specification Cmnd_Alias BKP = /backupscript/daily-dmp.sh #Runas Runas_Alias DB = oracle # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL BKPOP ALL=(DB)NOPASSWD:BKP # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
Let’s get through the important lines, first the aliases. There are three aliases segments that I used for the purpose of this article, do notice that every single of them are written in capitalized letters, otherwise, it won’t work.
User alias:
User_Alias BKPOP = dmpuser
dmpuser user is the operating system account used by the backup operator to log into the server. I’m giving it the alias “BKPOP”. Next,
Command alias:
Cmnd_Alias BKP = /backupscript/daily-dmp.sh
the BKP alias stores the path to the backup script that they need to execute to start the backup process. And the last is
Run as alias
Runas_Alias DB = oracle
the backup script above contains a command that requires oracle user right, so we need to create an alias for that.
Now that completes the alias part. For the final part, let’s define the assignment:
BKPOP ALL=(DB)NOPASSWD:BKP
The line above means that BKPOP, which points to “dmpuser” is allowed to execute the command contained in the BKP alias, from any (ALL) host, without having to supply any password.
To do their job, the backup operators must log into the server using “dmpuser” account, and execute:
sudo /backupscript/daily-dmp.sh
Now, If I need to assign this right to more than one user, let say “bkpuser”, I can either add the second user to the user alias:
User_Alias BKPOP = dmpuser, bkpuser
or, instead of using alias, I can create a group, let say “dmpgrp”, put both users inside this group, and change the assignment to:
%dmpgrp ALL=(DB)NOPASSWD:BKP
If these guys need to run another scripts, the command alias can be modified like this:
Cmnd_Alias BKP = /backupscript/daily-dmp.sh, /backupscript/monthly-dmp.sh
Easy peasy 🙂