I created 2 users on a test Ubuntu 16.04 VM I have:
has_login:x:2001:2001::/home/has_login:/bin/bash
nologin:x:2002:2002::/home/nologin:/bin/false
This is what I found.
When run as the root user with the user that has a bash shell:
# sudo -u has_login curator --config curator.yml open-test.yml
2019-02-13 14:54:45,098 INFO Preparing Action ID: 1, "open"
2019-02-13 14:54:45,154 INFO Trying Action ID: 1, "open": open all indices older than 0 days should only use with --dry-run as test for output
2019-02-13 14:54:45,214 INFO Opening selected indices: ['.triggered_watches', '.monitoring-alerts-6', '.monitoring-es-6-2019.02.12', '.tasks', '.monitoring-es-6-2019.02.13', '.kibana_2', 'netflow-000002', '.monitoring-kibana-6-2019.02.13', 'netflow-000001', 'netflow-000003', '.monitoring-kibana-6-2019.02.12', '.watcher-history-9-2019.02.12', '.watches', '.watcher-history-9-2019.02.13', '.kibana_1']
2019-02-13 14:54:45,223 INFO Action ID: 1, "open" completed.
2019-02-13 14:54:45,223 INFO Job completed.
# su - has_login -c 'curator --config curator.yml open-test.yml'
2019-02-13 14:55:38,720 INFO Preparing Action ID: 1, "open"
2019-02-13 14:55:38,776 INFO Trying Action ID: 1, "open": open all indices older than 0 days should only use with --dry-run as test for output
2019-02-13 14:55:38,854 INFO Opening selected indices: ['.kibana_2', 'netflow-000002', 'netflow-000003', '.tasks', '.watches', '.watcher-history-9-2019.02.12', '.triggered_watches', '.monitoring-alerts-6', '.monitoring-kibana-6-2019.02.13', '.monitoring-kibana-6-2019.02.12', 'netflow-000001', '.monitoring-es-6-2019.02.13', '.watcher-history-9-2019.02.13', '.monitoring-es-6-2019.02.12', '.kibana_1']
2019-02-13 14:55:38,861 INFO Action ID: 1, "open" completed.
2019-02-13 14:55:38,861 INFO Job completed.
When I run as the user with /bin/false
as the shell:
# sudo -u nologin curator --config /bigdisk/buh/curator_packages/curator.yml /bigdisk/buh/curator_packages/open-test.yml
2019-02-13 14:57:00,627 INFO Preparing Action ID: 1, "open"
2019-02-13 14:57:00,683 INFO Trying Action ID: 1, "open": open all indices older than 0 days should only use with --dry-run as test for output
2019-02-13 14:57:00,743 INFO Opening selected indices: ['.kibana_1', '.monitoring-es-6-2019.02.13', '.monitoring-kibana-6-2019.02.13', '.watcher-history-9-2019.02.13', 'netflow-000002', '.monitoring-alerts-6', '.watches', '.triggered_watches', 'netflow-000003', '.watcher-history-9-2019.02.12', '.monitoring-es-6-2019.02.12', '.tasks', '.kibana_2', '.monitoring-kibana-6-2019.02.12', 'netflow-000001']
2019-02-13 14:57:00,751 INFO Action ID: 1, "open" completed.
2019-02-13 14:57:00,752 INFO Job completed.
# su - nologin -c 'curator --config /bigdisk/buh/curator_packages/curator.yml /bigdisk/buh/curator_packages/open-test.yml'
# (NO OUTPUT)
In other words, the user must have a shell if you plan on using su -
. If you allow your sudoers file to have a blanket "Elasticsearch user can do anything", i.e., elasticsearch ALL=(ALL) NOPASSWD:ALL
, this is a security risk. It's much safer to have a plain user with an executing shell, and just let that user have a crontab entry:
# su - elasticsearch
$ crontab -l
no crontab for elasticsearch
$ crontab -e
< add 0 2 * * * /usr/bin/curator --config /etc/elasticsearch/curator.yml /etc/elasticsearch/curator/actions/dns-retention.yaml or something like it >
$ crontab -l
0 2 * * * /usr/bin/curator --config /etc/elasticsearch/curator.yml /etc/elasticsearch/curator/actions/dns-retention.yaml