While setting up a script to convert documents to PDF using libreoffice on AWS, I can't get libreoffice to --convert-to pdf
without sudo
as perhaps the user wsgi
does not have write permissions to the /opt/python/current/app
directory.
So I plan to solve this by appending the following line to the /etc/sudoers
file:
wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin
As I want to automate this while deploying, in my .ebextensions/01_packages.config
I have
container_commands:
01_edit_sudoers_only_once:
command: "echo 'wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin' >> /etc/sudoers"
test: "test ! -f .sudoers_edited"
02_mark_sudoers_as_edited:
command: "touch .sudoers_edited"
Is there a potential security issue with this?
There is a significant potential security issue with giving a web service process the ability to invoke things with sudo.
Giving it permission to write to directories containing code would also be unsafe.
You really need to identify what's being denied and why that matters. If error messages aren't sufficiently clear, you could use strace
to observe the processes system calls and the resulting errors.