Getting Data In

Execute script on forwarder with privileges

JohnDuatres
Explorer

Hello, team

I've made script, which uses the sudo command. I've deployed it on my forwarders, and I get the error:

message from "/opt/splunkforwarder/etc/apps/app/bin/script.sh" sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

My forwarders boot from splunk user (if change boot to root - script works). Splunk user is in sudoers, it have rights to execute sudo commands, but as far as I understand script must be executed with root user, not anyone else even if it have sudo privileges.


/usr/bin/sudo - nosuid option not  set, and file system isn't NFS.

 

Tried to make owner of script root, and give to it setuid, but still not works.

Any ideas? How to make script be executable by splunk user?

Labels (2)
0 Karma
1 Solution

JohnDuatres
Explorer

looks like I found the reason of problem

it was set parameter NoNewPrivileges=Yes 

in forwarder systemd service

View solution in original post

JohnDuatres
Explorer

looks like I found the reason of problem

it was set parameter NoNewPrivileges=Yes 

in forwarder systemd service

Tom_Lundie
Contributor

Can you share the output of:

 

ls -l /bin/sudo

 

Sudo needs to have the suid permission set to run as root. Could this have been unset?

Whilst you're there (as the Splunk user), does your sudo command execute properly when ran directly on the CLI (instead of via the scripted input).

Also can you share some more details about the OS please?

JohnDuatres
Explorer

root@astra:/opt/splunkforwarder/etc/apps/app/bin# ls -l /usr/bin/sudo
---s--x--x 1 root root 141528 jan 23 2021 /usr/bin/sudo

setuid is set

Whilst you're there (as the Splunk user), does your sudo command execute properly when ran directly on the CLI (instead of via the scripted input). - yes it works, if i'm using su splunk, and execute script manually

Also can you share some more details about the OS please? - it's Astra Linux OS, but same problem I see on RHEL

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you're not running this within some docker container, the culprit might be SELinux.

Is SELinux on?

JohnDuatres
Explorer

no, commands sestatus and getenforce shows that no such commands

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...