System Administration
Showing results for 
Search instead for 
Do you mean 

sudo rights to unlock user id during odd hrs

SOLVED
Go to Solution
Highlighted
Super Advisor

sudo rights to unlock user id during odd hrs

Hi Team ,

i have to give sudo rights to my prodctn team to unlock users only during odd hrs.

# Host Aliases
Host_Alias HR=uranus

# User Aliases
User_Alias EDI=unlockid

# Command Aliases

Cmnd_Alias COMMAND1=/usr/lbin/modprpw -kl


# User Privilege section

EDI HR=NOPASSWD: COMMAND1

Defaults:unlockid timestamp_timeout=0

 

 

When i chk it by logging through unlockid i getba msg saying ;

 

"Sorry, user unlockid is not allowed to execute '/usr/lbin/modprpw -kl test' as root on uranus"

1 ACCEPTED SOLUTIONS
Honored Contributor Honored Contributor

Re: sudo rights to unlock user id during odd hrs

If the Cmnd_Alias includes options, the user is now allowed to run the command only with the exact options specified in the alias specification, and nothing else.

 

If no options are included in the allowed command, then the user is allowed the run the command with any options.

If you want to allow running a command through sudo with no options, you would have to add an empty set of quotes:

 

Cmnd_Alias ALLOWED_ONLY_WITHOUT_OPTIONS=/some/command ""

 

In order to require options -kl but allow anything after that, you must add a wildcard to the Cmnd_Alias line.

 

I would also use meaningful alias names, i.e.:

...
Cmnd_Alias UNLOCKUSERS=/usr/lbin/modprpw -kl *

# User Privilege section

EDI HR=NOPASSWD: UNLOCKUSERS
...

 

 

 

 

 

MK
2 REPLIES
Honored Contributor Honored Contributor

Re: sudo rights to unlock user id during odd hrs

If the Cmnd_Alias includes options, the user is now allowed to run the command only with the exact options specified in the alias specification, and nothing else.

 

If no options are included in the allowed command, then the user is allowed the run the command with any options.

If you want to allow running a command through sudo with no options, you would have to add an empty set of quotes:

 

Cmnd_Alias ALLOWED_ONLY_WITHOUT_OPTIONS=/some/command ""

 

In order to require options -kl but allow anything after that, you must add a wildcard to the Cmnd_Alias line.

 

I would also use meaningful alias names, i.e.:

...
Cmnd_Alias UNLOCKUSERS=/usr/lbin/modprpw -kl *

# User Privilege section

EDI HR=NOPASSWD: UNLOCKUSERS
...

 

 

 

 

 

MK
Super Advisor

Re: sudo rights to unlock user id during odd hrs

Thanks Matti.