AI Docs

Running commands with elevated privileges on Linux

3 min read

certero logo_cropped_png-01 1.png

To enable as complete an inventory as possible on Linux systems, a 'dmidecode' command needs to be run as root, or another account with root privileges. Most organisations don’t allow a direct login for root, therefore, there are two options to enable the account being used to perform an inventory to run commands as root.

Background

Certero inventory is very strong at retrieving many attributes of your computers. For Linux systems, however, there are operating system restrictions placed on the techniques that have to be used to perform the level of inventory required. Certero has to work with these restrictions in order to obtain enriched attribute data. This means that, in some cases, root privileges are required to run certain Linux commands to obtain all inventory attributes. Where you do not allow Certero inventory to execute these Linux commands with root privileges, then some inventory data may be missing.

So you can choose to either allow Certero to perform the most complete inventory it can by granting the relevant Linux account privileges to run certain commands, or not and accept there may be some missing inventory information, in some cases.

This article gives you greater control over how you prefer Linux inventory to behave, which is always a balance between the needs of a comprehensive inventory and your security policies and controls.

First (and preferred) option

The preferred method is to use sudo privileges, as this allows greater control and security. A lot of Linux distributions use visudo to edit the configuration file and this is the preferred method of editing the configuration file directly as it will also perform syntax checking.

Where visudo does not exist then /etc/sudoers can be edited directly with your editor of choice.

Currently, the only command Certero inventory required to run as root is dmidecode. In order for this command to be run successfully, a line similar to the example below needs to be added to the sudoers file.

svc_account   ALL=(ALL)    NOPASSWD:     <path to dmidecode>/dmidecode

Where:

  • s v c_account is the login for the credentials being used for the inventory

  • <path to dmidecode> is the path to dmidecode.

Note that if you are unsure where the dmidecode command resides, you can use the first path returned when you run the following command:

whereis dmidecode

N.B. By default, some implementations of sudo have requiretty as a default, this needs to be overridden for the Certero service account. The following can be added to the sudoers files to disable requiretty for a single user account:

Defaults:username !requiretty

Second option

A less secure option is to set the sticky bit on the dmidecode binary. Setting the sticky bit allows a binary to be run by any user as the binary owner, i.e., As dmidecode is owned by root it will run with root privileges but can be run by any user.

The command chmod is used to set the sticky bit on a binary, as in this example:

chmod +s <path to dmidecode>/dmidecode

As sudo has been available for a significant time, it is unlikely you will have a Linux system that does not have sudo implemented and, therefore, this second option should only be considered in circumstances where the first option does not work.

Note that for older distributions of Linux, i.e., Red Hat 5 and below, only this second option is viable.