Skip to main content

Run the agent according to the principle of least privileges

Some of the commands used by the Snow Inventory Agent for Unix require root privileges. The commands are listed in Commands used by the agent. You can enable the agent to run a complete scan without being run as a super-user by configuring the sudoers file and the agent configuration file for each command requiring sudo privileges, as described below.

  1. In the sudoers file:

    1. Add the command and give it super-user privilege. You must specify the absolute path to the command.

    2. Configure the command to run with sudo non-interactively, for example by using the NOPASSWD tag.

      This is required since the agent is running non-interactively as a background task.

  2. In the agent configuration file, specify the absolute path to the command in the SudoCommands element.

    Example 51.
    <SudoCommands>
      <Path>/usr/bin/file</Path>
      <Path>/usr/bin/ls</Path>
    </SudoCommands>

When the Unix agent searches for commands, it will first look in the agent configuration file before searching in the default locations /sbin, /bin, /usr/sbin, and /usr/bin. If the command is specified in the SudoCommands element, it overrides the default command. The command will be run with the super-user privilege configured in the sudoers file.