Document privilege escalation via /etc/sudoers.d/

[calebhailey]

I found an old note on this, but I'm not sure if it's a valid sudoers.d configuration, so I'm just dropping this here for posterity...

Contents of /etc/sudoers.d/sensu-agent:

sensu ALL=(ALL) NOPASSWD: /usr/bin/systemctl start nginx
Defaults!/usr/bin/systemctl !requiretty

IIRC this was my WIP attempt toward figuring out a valid sudoers.d config, but i don't think it was working as expected.

[ninjaslothx]

Here's an example of what we use, same idea we just group commands for logical groupings.

# Disable tty for sensu user
Defaults:sensu !requiretty

#### CMDS ####
Cmnd_Alias  SENSU_CHECKS = /opt/scripts/mycheck.sh, \
                           /opt/scripts/mycheck_two.sh

Cmnd_Alias   SENSU_HOOKS = /usr/bin/systemctl start nginx, \
                           /usr/sbin/reboot

Cmnd_Alias SENSU_REMEDIATIONS = /opt/scrtips/myremediation.sh, \
                                /opt/scripts/myremediation_two.sh

#### ACCOUNTS ####
sensu ALL = (ALL) NOPASSWD: SENSU_CHECKS, SENSU_HOOKS, SENSU_REMEDIATIONS

In your case the !requiretty is set to a command, but your command has args. To disable for a command with args you should alias like above and then use the alias in the Defaults e.g Defaults!SENSU_HOOKS !requiretty