topic Re: sudo in Operating System - HP-UX

sudo

Adam Noble — Thu, 13 Mar 2003 10:10:05 GMT

I have been tasked with giving a set of users root privilidge effectively.(dangerous I know)
Anyway they are simply going to be running a script which adds a user and then also edits a number of files to give the users access to certain applications, the script is interactive i.e they would decide which apps to give access. It has been suggested I should use sudo for this, does anyone have any experience of using sudo, and know of any security issues etc or can recommend any other way of doing this. SAM is not an option!

Re: sudo

Steve Steel — Thu, 13 Mar 2003 11:07:22 GMT

Hi

have used sudo a lot over the years and works well.

www.software.hp.com

public domain software

search on sudo and read doc

I recommend it as a useful addition to the OS

Steve Steel

Re: sudo

David_246 — Thu, 13 Mar 2003 11:10:50 GMT

Hi,

Sorry to see no response, I will try to give some info at least.

We use eTrust Access Control for these things, but it costs some money and need some implementation time. So, don't think it's an option.

Looking in google and search for "HP SUDO", it returns several adresses. Also SUID-bits should work on a shell-script. The shellscript should have an owner of root and gid of the group that should execute the command.
chmod u+s /command should do the rest.

Some info from google :

CU sudo 1.3 and higher supports hpux. Your best bet is
to grab pub/sysadmin/utilities/cu-sudo.v1.3.1-beta9.tar.Z from
ftp.cs.colorado.edu.

Best Regs David

Re: sudo

Kaare Andersen — Thu, 13 Mar 2003 14:32:59 GMT

Hi,

some usefull informations can be found on

www.courtesan.com/sudo

Best regards,
Kan

Re: sudo

SSO Montgomery — Thu, 13 Mar 2003 19:48:08 GMT

We've begun using SUDO in the last 6 months. It works great. Even our SA's like to use it so they don't have to remember root's password. Just make sure at least one SA remembers root's password!

Re: sudo

Volker Borowski — Thu, 13 Mar 2003 19:57:42 GMT

Adam,

take care, sudo can give you the impression of beinng secure while you are not.
If this "interactive script" is capable of escaping to a shell, this escaped shell will be a root shell ! May be the escape from this specific script is even possible by pressing ctrl-C ! If you sudo scripts, always make sure to trap ctrl-C.
If the user has write-access to the script in charge, he can put in anything there that he wants to execute as root.

Give only single commands to "sudo", make sure that these are not capeable to escape to a shell, and make sure that these are only writable by root in a directory only writable as root.

Always stay carefull
Volker

Re: sudo

Adam Noble — Fri, 14 Mar 2003 09:29:58 GMT

Thanks all this was exactly the sort of info I was looking for. I had read a similar thing with regard to being able to escape to a root shell, and this will need to be reviewed.

Thanks again