Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

sudo for Domino start script

Daniel Nashed  31 May 2019 14:20:47

I wasn't aware that so many people are using "sudo" in combination with my start script.
On my machine I am using it for quite a while long before systemd support.
SLES allowed to start the server without root permissions but for CentOS/RHEL we always needed root also with init.d to start or restart a service.

With systemd we need root permissions on RHEL, CentOS and SLES.

I am currently invoking the rc_domino script wth sudo. But that means the rc_domino is running technically as root.

The better idea sounds like we allow the notes user to just use systemctl to start/stop/restart the domino.service.

The rc_domino script could be configured to use sudo. But that means we have to still make it configurable, because not everyone is using sudo.

IMHO allowing notes to use systemctl is the cleaner way.  The rc_domino script will figure out which operation is requested and invoke just the systemctl related commands via sudo.
rc_domino currently doesn't read the config file. But I could source it and check a parameter to check if sudo should be used.

Based on the feedback I tend to enable it by defaut.

But configuring sudo to allow systemctl should be a manual step (I can print what to do when the install script ran).

So here would be what I would allow by sudo if I implement it that way:


-- snip --

%notes ALL=/bin/systemctl start domino
%notes ALL=/bin/systemctl stop domino
%notes ALL=/bin/systemctl status domino
%notes ALL=/bin/systemctl enable domino
%notes ALL=/bin/systemctl disable domino

-- snip --

What do you think?

-- Daniel

Comments

1Lars Berntrop-Bos  31.05.2019 16:45:05  sudo for Domino start script

Given that Domino itself is also running as the notes user, would that not also let the Domino instance use systemctl?

That doesn't feel quite right.

I understand taht the user executing the script rc_domino needs to be allowed systemctl on systemd systems.

If run via sudo rc_domino runs as root.

If you do not want to allow sudo with root access, you could give permission to user notes_admin_user, and run sudo -u notes_admin_user, perhaps using the sudoers file?

2Daniel Nashed  31.05.2019 21:40:00  sudo for Domino start script

@Lars,

rc_domino can be started by any user and it checks if it is already using the right user and would switch to the right user when invoking the main script rc_domino_script.

So rc_domino_script is always running with the notes user.

Beside that rc_domino also invokes the operations that need "root" permissions like enabling/disabling the service and also start/stop with systemd.

Today when you want to allow notes to start/stop the server you need to allow sudo for the whole rc_domino script. That could give "notes" a lot of permissions.

Now that I got the feedback that many are using sudo, my idea is to officially build it into the script in the right way.

So the idea is just to allow the user to start/stop/enable/disable/status the Domino service with systemctl.

From what I see this would be the right way to go and grand only the exact permissions we need.

Of course that could be also a different user. I would just check if the rc_domino script is started with "root" or another user and use "sudo" for systemctl if not.

It's now just a matter how to install and configure it. I don't want to automatically set any sudo permissions. That's something the admin should enable.

And we can configure in the start script to use it.

I just want to make it easier and make it easy to install.

-- Daniel

3Rainer  17.06.2019 15:34:27  sudo for Domino start script

Hi Daniel!

I've modified rc_domino(01) (Version 3.1.3) by prepending every line beginning with "systemctl" with "sudo "

and placed the following content in the file /etc/sudoers.d/domino:

notes01 ALL = NOPASSWD: /bin/systemctl stop domino01.service

notes01 ALL = NOPASSWD: /bin/systemctl start domino01.service

notes01 ALL = NOPASSWD: /bin/systemctl restart domino01.service

notes01 ALL = NOPASSWD: /bin/systemctl status domino01.service

notes01 ALL = NOPASSWD: /bin/systemctl enable domino01.service

notes01 ALL = NOPASSWD: /bin/systemctl disable domino01.service

notes02 ALL = NOPASSWD: /bin/systemctl stop domino02.service

notes02 ALL = NOPASSWD: /bin/systemctl start domino02.service

notes02 ALL = NOPASSWD: /bin/systemctl restart domino02.service

notes02 ALL = NOPASSWD: /bin/systemctl status domino02.service

notes02 ALL = NOPASSWD: /bin/systemctl enable domino02.service

notes02 ALL = NOPASSWD: /bin/systemctl disable domino02.service

Best regards,

Rainer

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]