Sudoers for User Plugin

The cPanel user plugin relies on the sudo command to securely interact with Cachewall.

Sudo

The plugin executes Cachewall's xvctl utility using sudo -g varnish xvctl [.. args]. This executes xvctl through sudo with its primary group as varnish, resulting in a process running as the original invoking (unprivileged, hosting) user and but with the varnish group.

Moreover, Cachewall installs the /etc/sudoers.d/xvarnish sudoers configuration file. This configures a xvctl command whitelist that unprivileged users can execute, and limits these commands to only allow execution as the invoking user and varnish group. These commands provide the plugin's functionality.

Sudo is commonly used for running commands as the system root user; however, the use of sudo in Cachewall does not involve root in any way. See man sudoers and option -g in man sudo for more information.

Common Problems

You must enable Debug Mode for the User Plugin before sudo-related error details are displayed.

Missing Sudo

sh: /usr/bin/sudo: No such file or directory (/usr/bin/sudo -g varnish /usr/local/bin/xvctl ...)

We occassionally encounter CentOS servers missing the sudo package. Use rpm -qa sudo to confirm whether the package is missing. If so, generally the solution simply is to run yum install sudo.

Sudoers Configuration

sudo: no tty present and no askpass program specified (/usr/bin/sudo -g varnish /usr/local/bin/xvctl ...)

This error is caused by the /etc/sudoers.d/xvarnish sudoers file missing or not loaded.

Usually this problem is caused by /etc/sudoers not including the directory /etc/sudoers.d. The following line should be present near the end of the sudoers file:

#includedir /etc/sudoers.d

This #includedir line must begin with the # character. The # does not mean a comment!