Join Log in
Score:0
SBhardwaj avatar Ubuntu

Linux scripting : How to NOT execute specific commands implicitly from a .bash_profile of a user when u sudo to the user through a script

pw flag
SBhardwaj

Here is the issue I am facing : I have a script that will check the db size of Oracle and execute specific SQL based on the oracle version running on the box. The script will be run through ansible to execute across all the Oracle servers ( 400).

Issue is Oracle .bash profile is NOT standard and in fact, there are two versions (that can't be corrected for various reasons as of now). One set of servers has RMAN command in the .bash_profile of oracle user.

So for those set of servers (~100's out of total 400), the script returns backup information when executed through Ansible and the output (which goes to excel format) get spoiled. Can someone suggest a way so that we can restrict RMAN or any other specific command from execution when we sudo to oracle ?

59
0 + 0
paladin avatar
kr flag
paladin
Make it non-executable? `chmod -x FILENAME`
0
Reply
SBhardwaj avatar
pw flag
SBhardwaj
oracle .bash_profile can't be changed in terms of permissions. Its entire landscape on which this script needs to execute through a Ansible and ansible user which will sudo to oracle.
0
Reply
paladin avatar
kr flag
paladin
No, I meant to remove execution permission from specific binaries. In example your ansible user uses program `/bin/myprogram`, you may deny that by using `chmod -x /bin/myprogram`. But I see that this might be not a good solution to your problem.
0
Reply
paladin avatar
kr flag
paladin
It would be good to know why you can't change `.bash_profile`, should this be caused by a read only file system, you might try to mount any directory into the home directory of that user, i.E.: `mount --options bind /tmp/ /home/ansible/`, before trying to login.
0
Reply
SBhardwaj avatar
pw flag
SBhardwaj
Thanks for your comments . Few thing i cant change Binary permission as its would need to be done for entire landscape of around 400 servers. And it will have far reaching consequences if i take away that specific binary execute permission. Even if i do take away and re grant it at end of script - i don't want to do that either as any failed execution of the script will lead to a bigger issues as there are production servers part of the list where the script will be executed .
0
Reply
SBhardwaj avatar
pw flag
SBhardwaj
Idea is to do this small automation WITHOUT changes to the environment which include prod Oracle servers . Is there a way by which in my Script itself, i can do some thing through code which will not allow execution of a specific command/binary.
0
Reply
paladin avatar
kr flag
paladin
You might adjust your script: `test -f /var/lock/LOCKFILE && echo true || echo false`, when the LOCKFILE exists (i.e. via `touch /var/lock/LOCKFILE`), do your commands, otherwise do something else.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.