Sudo: “Operation not permitted” when program is started as a service, but working when manually started....
What defenses are there against being summoned by the Gate spell?
How to report a triplet of septets in NMR tabulation?
Draw simple lines in Inkscape
Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?
Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).
Download, install and reboot computer at night if needed
What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?
Why is "Reports" in sentence down without "The"
Why don't electron-positron collisions release infinite energy?
Why was the small council so happy for Tyrion to become the Master of Coin?
"which" command doesn't work / path of Safari?
How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)
Why is the design of haulage companies so “special”?
Concept of linear mappings are confusing me
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?
Is there really no realistic way for a skeleton monster to move around without magic?
What is the offset in a seaplane's hull?
New order #4: World
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)
Patience, young "Padovan"
Do airline pilots ever risk not hearing communication directed to them specifically, from traffic controllers?
Shell script can be run only with sh command
What do you call a Matrix-like slowdown and camera movement effect?
Sudo: “Operation not permitted” when program is started as a service, but working when manually started. Why?
using sudo on GUI applicationsCan't add user to sudoers filesudo - ubuntu 12.04Parallels on Mac - can no longer sudo within UbuntuHow to prevent the caller's shell from being used in sudoGalera + systemd: wsrep_notify_cmd fails with sudo (unable to change to sudoers gid: Operation not permitted)Service Start Issue SystemdGrant group A's members 'sudo su' access to group B's user accountssudo is not working on my Centos 7.3Why is systemd stopping service immediately after it is started?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I need to be able to exec a command as sudo (e.g. sudo echo 'toto') in a custom go program. I've added my user in /etc/sudoers and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
asked yesterday
QuentinQuentin
13816
add a comment |
I need to be able to exec a command as sudo (e.g. sudo echo 'toto') in a custom go program. I've added my user in /etc/sudoers and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
asked yesterday
QuentinQuentin
13816
Ah. My first guess was the sudorequirettyoption, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
yesterday
add a comment |
I need to be able to exec a command as sudo (e.g. sudo echo 'toto') in a custom go program. I've added my user in /etc/sudoers and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
asked yesterday
QuentinQuentin
13816
I need to be able to exec a command as sudo (e.g. sudo echo 'toto') in a custom go program. I've added my user in /etc/sudoers and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
permissions systemd sudo
asked yesterday
QuentinQuentin
13816
asked yesterday
QuentinQuentin
13816
edited yesterday
Quentin
asked yesterday
QuentinQuentin
13816
asked yesterday
QuentinQuentin
13816
asked yesterday
QuentinQuentin
13816
13816
Ah. My first guess was the sudorequirettyoption, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
yesterday
add a comment |
Ah. My first guess was the sudorequirettyoption, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
yesterday
Ah. My first guess was the sudo
requiretty option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
yesterday
Ah. My first guess was the sudo
requiretty option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
yesterday
add a comment |
1 Answer
1
active
oldest
votes
I finally found the issue: my service was adding a list of CapabilityBoundingSet for some reason which was restricting the sudo operations.
answered 5 hours ago
QuentinQuentin
13816
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510943%2fsudo-operation-not-permitted-when-program-is-started-as-a-service-but-workin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I finally found the issue: my service was adding a list of CapabilityBoundingSet for some reason which was restricting the sudo operations.
answered 5 hours ago
QuentinQuentin
13816
add a comment |
I finally found the issue: my service was adding a list of CapabilityBoundingSet for some reason which was restricting the sudo operations.
answered 5 hours ago
QuentinQuentin
13816
add a comment |
I finally found the issue: my service was adding a list of CapabilityBoundingSet for some reason which was restricting the sudo operations.
answered 5 hours ago
QuentinQuentin
13816
I finally found the issue: my service was adding a list of CapabilityBoundingSet for some reason which was restricting the sudo operations.
answered 5 hours ago
QuentinQuentin
13816
answered 5 hours ago
QuentinQuentin
13816
answered 5 hours ago
QuentinQuentin
13816
answered 5 hours ago
QuentinQuentin
13816
13816
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510943%2fsudo-operation-not-permitted-when-program-is-started-as-a-service-but-workin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Ah. My first guess was the sudo
requirettyoption, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
yesterday