3

Background: My developers are installing an informatica product in a RHEL8.3 server. The services are running using a user called infa_admin, and this user is already in the wheel group. This user is able to run all administrative commands using sudo without prompting for password.

They have a requirement to disable SELinux, which is not allowed based on our org policies.

The workaround they are suggesting is to have the user infa_admin to be able to stop/start/restart certain services without using sudo.

Assuming the service is called nginx, currently they can do the following:

sudo systemctl restart nginx

They need to do the following:

systemctl restart ngnix --> currently this will prompt for password, which is not what they want.

The actual services they need to be able to manage are : discoverypostgres , zk and solr

Based on my understanding, this is not possible. Is there anyway to do this ?

screenslaver
  • 31
  • 4
  • Are you in fear you are giving them too much privileges when allowing to use `sudo`? You can set it up such as only specific commands to be run with `sudo` is allowed for some users, not just the any command. – Nikita Kipriyanov Oct 07 '21 at 05:59
  • no. They already have full access with sudo. This requirement came from the product support team to be able to run without sudo – screenslaver Oct 07 '21 at 06:04
  • 1
    That's *very strange* requirement. Really. Is there any adequate reasoning behind it? Setting up shell aliases is an option? – Nikita Kipriyanov Oct 07 '21 at 06:06
  • I am going to talk to them soon if they have any reason behind that. For now i setup alias to systemctl as sudo systemctl. – screenslaver Oct 07 '21 at 06:16
  • @NikitaKipriyanov: purely conjectural, it could be a "we are unwilling to touch tooling scripts provided by the vendor" (because they update/we want to point the finger of blame at the vendor when something goes wrong/…) Probably, a "proper" solution would involve the vendor writing and shipping a SELinux policy for the software in question, but good luck with that. – Ulrich Schwarz Oct 07 '21 at 06:59
  • If you don't want to use `sudo` you can try relying on `polkit`: Here's an answer that creates a polkit rule to perform this: https://unix.stackexchange.com/questions/504806/systemd-start-as-unprivileged-user-in-a-group/557634#557634 – Stewart Nov 26 '21 at 14:42

1 Answers1

0

They need to do the following: systemctl restart nginx --> currently this will prompt for password, which is not what they want.

Is it a solution just to allow to do certain commands with sudo without prompting password?

sudo visudo

This will open editor for sudoers file. Add following line:

%wheel ALL=NOPASSWD: /usr/bin/systemctl restart nginx

This will allow users of a group wheel to do systemctl restart nginx without prompting password. You can create separate group if you more rights granularity.

yaromir
  • 144
  • 4