0

We have linux script in our environment which does ssh to remote machine with a common user and copies a script from base machine to remote machine through scp.

Script Test_RunFromBaseVM.sh

#!/bin/bash

machines = $1
for machine in $machines
do
    ssh -tt -o StrictHostKeyChecking=no ${machine} "mkdir -p -m 700 ~/test" 
    scp -r bin conf.d ${machine}:~/test
    ssh -tt ${machine} "cd ~/test; sudo bash bin/RunFromRemotevm.sh"
done

Script RunFromRemotevm.sh

#!/bin/bash
echo "$(date +"%Y/%m/%d %H:%M:%S")"

Before running Test_RunFromBaseVM.sh script base vm we run below two commands.

eval $(ssh-agent)
ssh-add

Executing ./Test_RunFromBaseVM.sh "<list_of_machine_hosts>" getting permission denied error.

[remote-vm-1] bin/RunFromRemotevm.sh:line 2: /bin/date: Permission denied

any clue or insights on this error will be of great help. Thanks.

Improve this question
12
  • 1
    Does your script have the execute bit set? Also, where are you declaring machine? Is that an environment variable? Commented Mar 2, 2018 at 17:51
  • @StephenNewell just updated the question. I had abstracted out the code earlier. As far my understanding running script prefixing bash need not have execute bit set. May be I am wrong. I have executable permission set on script file. Commented Mar 2, 2018 at 18:05
  • You need the script to be executable the way you're running it. If you want to keep it non-executable, try bash path/to/your/script. Commented Mar 2, 2018 at 18:09
  • 2
    As a very tangential aside, echo "$(command)" is much better written simply command. Capturing the command's standard output only so you can print it to standard output simply wastes a process for nothing. Commented Mar 2, 2018 at 19:57
  • 1
    Remove the spaces around = in machines=$1 Commented Mar 2, 2018 at 20:38

1 Answer 1

Reset to default
1

I believe the problem is the presence of the NOEXEC: tag in the sudoers file, corresponding to the user (or group) that's executing the "cd ~/test; sudo bash bin/RunFromRemotevm.sh" command. This causes any further execv(), execve() and fexecve() calls to be refused, in this case it's /bin/date.

The solution is obviously remove the NOEXEC: from the main /etc/sudoers file or some file under /etc/sudoers.d, whereever is this defined.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks it gave me pointers to look at the sudoers file under /etc/sudoers.d Cmnd_Alias FFDCUSER_SUDOCMDS = /usr/bin/su - root,/usr/bin/ls,/usr/bin/cd,/bin/cat,/usr/bin/ps,/sbin/service,/usr/bin/monit,/usr/bin/cp,/bin/bash,/bin/dirname,/bin/basename,/bin/date,/bin/mkdir,/bin/grep,/bin/awk,/bin/rm,/bin/hostname,/bin/sed,/bin/chown User_Alias FFDCUSER_SUDOUSER = ffdcuser FFDCUSER_SUDOUSER ALL= NOEXEC: NOPASSWD: FFDCUSER_SUDOCMDS We have /bin/date in sudoers file, NOEXEC is added for security purpose.I believe having /bin/date in sudoers should allow cmd to execute.
Yes, having /bin/date in sudoers would allow you to do sudo date, but what you're doing is sudo bash and that bash is executing another subprocess /bin/date and that's the bit that's denied. You can execute /bin/date directly from sudo, but not via sudoed bash. Not as a subprocess.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.