Sudoers for User Plugin
The cPanel user plugin relies on the
sudo command to securely interact with Cachewall.
The plugin executes Cachewall's
xvctl utility using
sudo -g varnish xvctl [.. args]. This executes xvctl through sudo with its primary group as varnish, resulting in a process running as the original invoking (unprivileged, hosting) user and but with the varnish group.
Moreover, Cachewall installs the
/etc/sudoers.d/xvarnish sudoers configuration file. This configures a xvctl command whitelist that unprivileged users can execute, and limits these commands to only allow execution as the invoking user and varnish group. These commands provide the plugin's functionality.
Sudo is commonly used for running commands as the system root user; however, the use of sudo in Cachewall does not involve root in any way. See
man sudoers and option -g in
man sudo for more information.
You must enable Debug Mode for the User Plugin before sudo-related error details are displayed.
sh: /usr/bin/sudo: No such file or directory (/usr/bin/sudo -g varnish /usr/local/bin/xvctl ...)
We occassionally encounter CentOS servers missing the sudo package. Use
rpm -qa sudo to confirm whether the package is missing. If so, generally the solution simply is to run
yum install sudo.
sudo: no tty present and no askpass program specified (/usr/bin/sudo -g varnish /usr/local/bin/xvctl ...)
This error is caused by the
/etc/sudoers.d/xvarnish sudoers file missing or not loaded.
Usually this problem is caused by
/etc/sudoers not including the directory
/etc/sudoers.d. The following line should be present near the end of the sudoers file:
This #includedir line must begin with the # character. The # does not mean a comment!