Sudo: “Operation not permitted” when program is started as a service, but working when manually started. Why? The 2019 Stack Overflow Developer Survey Results Are Inusing sudo on GUI applicationsCan't add user to sudoers filesudo - ubuntu 12.04Parallels on Mac - can no longer sudo within UbuntuHow to prevent the caller's shell from being used in sudoGalera + systemd: wsrep_notify_cmd fails with sudo (unable to change to sudoers gid: Operation not permitted)Service Start Issue SystemdGrant group A's members 'sudo su' access to group B's user accountssudo is not working on my Centos 7.3Why is systemd stopping service immediately after it is started?
Time travel alters history but people keep saying nothing's changed
Monty Hall variation
What is the use of option -o in the useradd command?
How to deal with fear of taking dependencies
Manuscript was "unsubmitted" because the manuscript was deposited in Arxiv Preprints
On the insanity of kings as an argument against monarchy
Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?
What is the meaning of Triage in Cybersec world?
I see my dog run
How can I fix this gap between bookcases I made?
Should I write numbers in words or as numerals when there are multiple next to each other?
How to make payment on the internet without leaving a money trail?
Why do UK politicians seemingly ignore opinion polls on Brexit?
Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?
Is "plugging out" electronic devices an American expression?
Is there a name of the flying bionic bird?
Why is Grand Jury testimony secret?
Spanish for "widget"
In microwave frequencies, do you use a circulator when you need a (near) perfect diode?
Why don't Unix/Linux systems traverse through directories until they find the required version of a linked library?
What do hard-Brexiteers want with respect to the Irish border?
Confusion about non-derivable continuous functions
Springs with some finite mass
Does light intensity oscillate really fast since it is a wave?
Sudo: “Operation not permitted” when program is started as a service, but working when manually started. Why?
The 2019 Stack Overflow Developer Survey Results Are Inusing sudo on GUI applicationsCan't add user to sudoers filesudo - ubuntu 12.04Parallels on Mac - can no longer sudo within UbuntuHow to prevent the caller's shell from being used in sudoGalera + systemd: wsrep_notify_cmd fails with sudo (unable to change to sudoers gid: Operation not permitted)Service Start Issue SystemdGrant group A's members 'sudo su' access to group B's user accountssudo is not working on my Centos 7.3Why is systemd stopping service immediately after it is started?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I need to be able to exec a command as sudo (e.g. sudo echo 'toto'
) in a custom go program. I've added my user in /etc/sudoers
and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers
:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
add a comment |
I need to be able to exec a command as sudo (e.g. sudo echo 'toto'
) in a custom go program. I've added my user in /etc/sudoers
and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers
:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
Ah. My first guess was the sudorequiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
Apr 6 at 22:33
add a comment |
I need to be able to exec a command as sudo (e.g. sudo echo 'toto'
) in a custom go program. I've added my user in /etc/sudoers
and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers
:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
I need to be able to exec a command as sudo (e.g. sudo echo 'toto'
) in a custom go program. I've added my user in /etc/sudoers
and it works just fine, when I login as my user and run the program manually.
However, when I run the exact same program from a systemd service, I get the following error:
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin
My service is basic:
[Unit]
Description=test sudo
[Service]
User=test
Group=test
ExecStart=/etc/test/test
and in my /etc/sudoers
:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
test ALL = NOPASSWD: ALL
What's the difference between manually running the program as my user versus the same program started as a service?
Testing on ubuntu 18.04
permissions systemd sudo
permissions systemd sudo
edited Apr 6 at 21:48
Quentin
asked Apr 6 at 19:31
QuentinQuentin
13816
13816
Ah. My first guess was the sudorequiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
Apr 6 at 22:33
add a comment |
Ah. My first guess was the sudorequiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.
– sourcejedi
Apr 6 at 22:33
Ah. My first guess was the sudo
requiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
Apr 6 at 22:33
Ah. My first guess was the sudo
requiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
Apr 6 at 22:33
add a comment |
1 Answer
1
active
oldest
votes
I finally found the issue: my service was adding a list of CapabilityBoundingSet
for some reason which was restricting the sudo
operations.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510943%2fsudo-operation-not-permitted-when-program-is-started-as-a-service-but-workin%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I finally found the issue: my service was adding a list of CapabilityBoundingSet
for some reason which was restricting the sudo
operations.
add a comment |
I finally found the issue: my service was adding a list of CapabilityBoundingSet
for some reason which was restricting the sudo
operations.
add a comment |
I finally found the issue: my service was adding a list of CapabilityBoundingSet
for some reason which was restricting the sudo
operations.
I finally found the issue: my service was adding a list of CapabilityBoundingSet
for some reason which was restricting the sudo
operations.
answered 2 days ago
QuentinQuentin
13816
13816
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510943%2fsudo-operation-not-permitted-when-program-is-started-as-a-service-but-workin%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-permissions, sudo, systemd
Ah. My first guess was the sudo
requiretty
option, but actually I don't think that would match the error message. Since you mention Ubuntu, I suspect this might be AppArmor. I don't know how to use AppArmor :-(.– sourcejedi
Apr 6 at 22:33