TL;DR when a script is not marked as executable and you try to run it with sudo, you don’t get the usual -bash: myScript.sh: Permission denied
message, you are prompted for a password instead!
This one was very frustrating.
What I wanted to do was to make a user (let’s call him bran
) able to execute a specific script (let’s call it /home/hodor/calm_down.sh
) without having to provide his password, because the script will be executed by an automated tool (Jenkins).
I reached back to my earlier post about sudo, and updated the /etc/sudoers
file so that its User privilege specification
section looked like this:
root ALL=(ALL) ALL
bran ALL=(hodor) NOPASSWD: /home/hodor/calm_down.sh *
The last line gives user bran
the ability to run /home/hodor/calm_down.sh
as user hodor
passing it any number of parameters (*
) without having to provide his password (NOPASSWD:
).
Saved it, su
‘ed into bran
, ran
bran@laketower:~$ sudo -u hodor /home/hodor/calm_down.sh "it's ok"
aaaaand…
[sudo] password for hodor:
d’oh.
I checked the syntax in /etc/sudoers
, and it was ok.
I checked whether any of the declarations that followed in /etc/sudoers
could override the line I set for bran
and hodor
, none to be found.
Heck, I even put that line as the last line, so no line could override it. Nothing.
After a good hour of googling around and finding nothing, I remembered that the script is in a Git repository for which I just checked out a different branch. As it turned out, the script lost its executable bit.
So I set the executable bit again, as user hodor
:
hodor@laketower:~$ chmod +x calm_down.sh
hodor@laketower:~$ logout
root@laketower:~# su - bran
bran@laketower:~$ sudo -u hodor /home/hodor/calm_down.sh "it's ok"
hodor.
bran@laketower:~$
it worked!
I’m sure there’s a legitimate security concern for this behavior, but dang! was this hard to figure out!