TL;DR when a script is not marked as executable and you try to run it with sudo, you don’t get the usual
-bash: myScript.sh: Permission denied message, you are prompted for a password instead!
This one was very frustrating.
What I wanted to do was to make a user (let’s call him
bran) able to execute a specific script (let’s call it
/home/hodor/calm_down.sh) without having to provide his password, because the script will be executed by an automated tool (Jenkins).
I reached back to my earlier post about sudo, and updated the
/etc/sudoers file so that its
User privilege specification section looked like this:
root ALL=(ALL) ALL bran ALL=(hodor) NOPASSWD: /home/hodor/calm_down.sh *
The last line gives user
bran the ability to run
/home/hodor/calm_down.sh as user
hodor passing it any number of parameters (
*) without having to provide his password (
bran@laketower:~$ sudo -u hodor /home/hodor/calm_down.sh "it's ok"
[sudo] password for hodor:
I checked the syntax in
/etc/sudoers, and it was ok.
I checked whether any of the declarations that followed in
/etc/sudoers could override the line I set for
hodor, none to be found.
Heck, I even put that line as the last line, so no line could override it. Nothing.
After a good hour of googling around and finding nothing, I remembered that the script is in a Git repository for which I just checked out a different branch. As it turned out, the script lost its executable bit.
So I set the executable bit again, as user
hodor@laketower:~$ chmod +x calm_down.sh hodor@laketower:~$ logout root@laketower:~# su - bran bran@laketower:~$ sudo -u hodor /home/hodor/calm_down.sh "it's ok" hodor. bran@laketower:~$
I’m sure there’s a legitimate security concern for this behavior, but dang! was this hard to figure out!