(its mode is 755, obviously). In outfile
I can see that SHELL
is /sbin/nologin
. However, at this point the script is running as root, via sudo, so it should not have the previous user's environment variables, right?
Defaults:zabbix !requiretty
zabbix ALL=(root) NOPASSWD: /tmp/doit
Edit: A little more information:
The process running the sudo is zabbix_agentd
, from the Zabbix monitoring software. There is an entry in the /etc/zabbix/zabbix_agentd.d/userparameter_disk.conf
file which looks like:
UserParameter=example.disk.discovery,/usr/local/bin/zabbix_raid_discovery
/usr/local/bin/zabbix_raid_discovery
is a Python script. I have modified it to simply do this:
print subprocess.check_output(['/usr/bin/sudo', '-u', 'root', '/tmp/doit'])
/tmp/doit
simply does this:
#!/bin/sh
env >> /tmp/outfile
I run the following on my Zabbix server to run the /usr/local/bin/zabbix_raid_discovery
script:
zabbix_get -s client_hostname -k 'example.disk.discovery'
Then I check the /tmp/outfile
, and I see:
SHELL=/sbin/nologin
TERM=linux
USER=root
SUDO_USER=zabbix
SUDO_UID=497
USERNAME=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MAIL=/var/mail/root
PWD=/
LANG=en_US.UTF-8
SHLVL=1
SUDO_COMMAND=/tmp/doit
HOME=/root
LOGNAME=root
SUDO_GID=497
_=/bin/env
That SHELL
line really bugs me. The file is owned by root, so I know it's being created by the root user, but the shell is from the calling user (zabbix
).