Principle of least privileges

This list shows commands that are used by Snow Inventory Agent for Linux. The user running the agent needs to have access to all of the commands.

The agent searches for commands in  /usr/bin , /bin , /usr/sbin , /sbin, and /usr/local/bin.

  • awk

  • crontab

  • dmesg

  • dmidecode

  • dnsdomainname

  • dsconfig

  • env

  • findmnt

  • grep

  • httpd

  • ifconfig

  • ip

  • java

  • javac

  • last

  • ldconfig

  • lsb_release

  • lspci

  • modprobe

  • mount

  • proc

  • ps

  • rpm

  • sed

  • sh

  • systemd-detect-virt

  • uname

  • wc

  • yes

Note

The minimum sudo version required by Snow Inventory Agent for Linux is sudo 1.7.8. If the agent needs to be run with an older version, the recommendation is running as root.

Example 2. Sudoers configuration

In this example;

  • The user snow has permissions to run all commands in the SNOWAGENT list as any other user (including root),

  • The Cmnd_Alias creates an alias for one or several commands. It is a comma-separated list where all commands must be written on one and the same row,

  • The agent will only use sudo for commands that are prefixed by NOPASSWD:, or has the default parameter !authenticate set, since it runs "non-interactive".

Cmnd_Alias SNOWAGENT = /usr/bin/awk, /usr/bin/dmesg,
/usr/sbin/dmidecode, /usr/bin/env, /usr/bin/findmnt, /usr/bin/grep,
/usr/sbin/ifconfig, /usr/bin/java, /usr/bin/javac, /usr/bin/last,
/usr/sbin/ldconfig, /usr/bin/lsb_release, /usr/sbin/lspci, /usr/sbin/modprobe,
/usr/bin/mount, /usr/bin/ps, /usr/bin/rpm, /usr/bin/sed,
/usr/bin/systemd-detect-virt, /usr/bin/wc, /usr/bin/uname,
/usr/bin/dnsdomainname

snow ALL=(ALL) NOPASSWD: SNOWAGENT

Note

If a command is configured in sudoers to be run without providing a password, that path will be used before the search path of the agent.

Note

If the keyword ALL is used to allow the snow user sudo rights to any command it needs to be the last keyword on the line.