Disk IO scheduling μέσω sudo χωρίς χρήση password

Christos Ricudis ricudis at itc.auth.gr
Fri Oct 9 15:57:29 EEST 2009

George Notaras wrote:
> Έχω ανακαλύψει αυτό το φανταστικό utility, ionice(1), αλλά με παιδεύει η
> χρήση του μέσω sudo. Για παράδειγμα, θέλω να τρέξω ένα backup script σε
> "idle" priority όσον αφορά το disk I/O.
> Ως root όλα είναι φυσιολογικά:
>   ionice -c3 mybackupprog --opt1 ...
> Έχοντας προσθέσει το παρακάτω στο /etc/sudoers (μια σειρά):
>   backupop    tartarus = NOPASSWD: /usr/bin/ionice -c3 /usr/bin/mybackupprog
> ... όταν τρέχω το παρακάτω, κάνοντας χρήση του option --opt1 του
> mybackupprog, μου ζητάει password:
>   sudo /usr/bin/ionice -c3 /usr/bin/mybackupprog --opt1
> Αντίθετα, αν στο /etc/sudoers προσθέσω στο παραπάνω rule το --opt1, τότε
> δουλεύει. Δηλαδή αν βάλω:
> /etc/sudoers:
>   backupop    tartarus = NOPASSWD: /usr/bin/ionice -c3
> /usr/bin/mybackupprog --opt1
> ... τότε μπορώ να εκτελέσω μέσω sudo χωρίς password το mybackupprog με
> το option --opt1.

man sudoers :

A Cmnd_List is a list of one or more commandnames, directories, and 
other aliases. A commandname is a fully qual‐
ified filename which may include shell-style wildcards (see the 
Wildcards section below). A simple filename
allows the user to run the command with any arguments he/she wishes. 
However, you may also specify command line
arguments (including wildcards). Alternately, you can specify "" to 
indicate that the command may only be run
without command line arguments. A directory is a fully qualified 
pathname ending in a ’/’. When you specify a
directory in a Cmnd_List, the user will be able to run any file within 
that directory (but not in any subdirecto‐
ries therein).

If a Cmnd has associated command line arguments, then the arguments in 
the Cmnd must match exactly those given by
the user on the command line (or match the wildcards if there are any). 
Note that the following characters must
be escaped with a ’\’ if they are used in command arguments: ’,’, ’:’, 
’=’, ’\’. The special command "sudoedit"
is used to permit a user to run sudo with the -e flag (or as sudoedit). 
It may take command line arguments just
as a normal command does.

Opote exeis tis ekshs dyo lyseis :

1) Use a wrapper :

/usr/bin/ionice -c3 /usr/bin/mybackupprog $*

kai sto sudoers :

backupop    tartarus = NOPASSWD: /usr/local/bin/backupwrapper

Ayto einai h periptwsh "epitrepetai na kaleseis to backupwrapper me 
opoiadhpote options 8eleis"

2) Don't use a wrapper and use wildcards for the sudoers arguments 
parameter :

backupop    tartarus = NOPASSWD: /usr/bin/ionice -c3 /usr/bin/mybackupprog *

Ayto logika 8a sou epitrepsei na peraseis oti argument 8eleis meta apo to "/usr/bin/ionice -c3 /usr/bin/mybackupprog". Endexomenws na prepei na xrhsimopoihseis to "--" sthn sudo wste na mhn nomisei oti ta arguments pou pernas apey8ynontai s'ayto. 

BIG RED FAT DISCLAIMER : This is not a message in greeklish. It's a message in english, with some minor greeklish explanative remarks. 

More information about the Linux-greek-users mailing list