When you configure a process step (see Processes), you can tell IBM UrbanCode Deploy to use impersonation for the step. By default, su is used but you can use sudo instead. To configure impersonation, you supply the user name that is required by the target host. When the impersonation-configured process step runs, the su or sudo command runs the step as the impersonated user. Each step that needs user impersonation must be configured independently.
Before sudo can be used, impersonation privileges must be defined in the /etc/sudoers file. When you configure sudoers, ensure that the impersonating user does not need to supply a password. Typically, you would configure the /etc/sudoers file like the following example:
Defaults:X !requiretty
X ALL=(Y) NOPASSWD: ALL
where X and Y are user names. Configured this way, user X can run any command as user Y without supplying a password.
As an alternative to configuring sudoers, in some cases you can configure the PAM via the module pam_wheel.so to allow certain users to log in without specifying a password. In this case, add users to a specific wheel group and edit the PAM configuration allow users in this group to run commands as though they were the root user.
su and sudo maintain a record in the system logs of all of their activity. su can be used without configuring the sudoers file. For information about su/sudo, see the UNIX or Linux documentation.
Property | Default value | Description |
---|---|---|
com.urbancode.shell.impersonation.unix.sudoFormat | %s -n -u %u %c | Syntax of the sudo command |
com.urbancode.shell.impersonation.unix.sudoGroupFormat | %s -n -u %u -g %g %c | Syntax of the sudo command when a group is specified |
com.urbancode.shell.impersonation.unix.suFormat | %s - %u -c %c | Syntax of the su command |
Variable | Value |
---|---|
%s | The location of the su or sudo executable |
%u | The user |
%g | The group |
%c | The command to run |