While setting up a script to convert documents to PDF using libreoffice on AWS, I can't get libreoffice to --convert-to pdfwithout sudo as perhaps the user wsgi does not have write permissions to the /opt/python/current/app directory.
So I plan to solve this by appending the following line to the /etc/sudoers file:
wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin
As I want to automate this while deploying, in my .ebextensions/01_packages.config I have
container_commands:
01_edit_sudoers_only_once:
command: "echo 'wsgi ALL = NOPASSWD: /opt/libreoffice5.3/program/soffice.bin' >> /etc/sudoers"
test: "test ! -f .sudoers_edited"
02_mark_sudoers_as_edited:
command: "touch .sudoers_edited"
Is there a potential security issue with this?
There is a significant potential security issue with giving a web service process the ability to invoke things with sudo.
Giving it permission to write to directories containing code would also be unsafe.
You really need to identify what's being denied and why that matters. If error messages aren't sufficiently clear, you could use strace to observe the processes system calls and the resulting errors.