https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279688#M180205 If I am interpreting the setup correctly <BR /><BR />They should be able to "sudo su - root" <BR />then type "mail"<BR /><BR />or "sudo su - root -c mail" <BR /><BR />Either of those should work. And they should not need the passwd, if sudo prompts for a passwd they can use the operuser passwd they have, they do not need roots passwd. <BR /><BR /><BR /> Tue, 18 May 2004 13:05:34 GMT Marvin Strong 2004-05-18T13:05:34Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279685#M180202 We have set up sudo to allow our operators to access root functions without needing the root password. In the sudoers file, we have set up a User_Alias of OPERUSER. Under User privilege specification is the following:<BR />OPERUSER ALL=(ALL) NOPASSWD: ALL<BR /><BR />Most functions are available to the operators but they cannot check to see if root has any mail. It appears when "mail" is entered, it shows the information for the original user. Logging on as root does show there is mail.<BR /><BR />Any suggestions on how to correct this?<BR /> Tue, 18 May 2004 10:33:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279685#M180202 Debbie Beresford 2004-05-18T10:33:03Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279686#M180203 I have never used sudo but would guess from this that sudo only gives you the effective user id of 0 (EUID) and that mail does it's checks using the real user id (UID). If there is no configuration option within sudo to use the real user id you could change the command to "su - root -c mail". I imagine this should give the user the real uid of 0 and then read the mail. Tue, 18 May 2004 10:39:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279686#M180203 Mark Grant 2004-05-18T10:39:05Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279687#M180204 This does work. I am a novice so I need to look into sudo further to see if the options you suggest are available. I also needed the root password to make this work. Is there a way around this? Tue, 18 May 2004 12:48:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279687#M180204 Debbie Beresford 2004-05-18T12:48:28Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279688#M180205 If I am interpreting the setup correctly <BR /><BR />They should be able to "sudo su - root" <BR />then type "mail"<BR /><BR />or "sudo su - root -c mail" <BR /><BR />Either of those should work. And they should not need the passwd, if sudo prompts for a passwd they can use the operuser passwd they have, they do not need roots passwd. <BR /><BR /><BR /> Tue, 18 May 2004 13:05:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279688#M180205 Marvin Strong 2004-05-18T13:05:34Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279689#M180206 The problem is that elm and mail command use the environment variables LOGNAME and MAIL to decide the mailbox to use.<BR />If u run the command su root the environment is not changed, while if u run the command su - root the environment is exactly the same as logging in as root.<BR />Try to run the sudo command with a script like<BR /><BR />#!/usr/bin/sh<BR />export LOGNAME=root<BR />export MAIL=/var/mail/root<BR />mail<BR /><BR />it should use the root mailbox<BR />Bye Cesare Tue, 18 May 2004 13:15:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279689#M180206 Cesare Salvioni 2004-05-18T13:15:42Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279690#M180207 I want to make sure you realize you've given your operators the keys to the kingdom. They can type in "sudo su -" and get a root shell, and reboot the box or whatever else they want. On top of this, you are allowing this to happen without any password.<BR /><BR />If you want them to only have privilages to run certain commands, it's better to specify each command they have access to in your sudoers file. Tue, 18 May 2004 15:04:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279690#M180207 Paul F. Carlson 2004-05-18T15:04:40Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279691#M180208 Hi,<BR /><BR />Once your operator has done sudo to root, let them do a su - root and when they get the root prompt, they should be able to read the root mail.<BR /><BR />Hope this helps.<BR /><BR />Regds<BR /> Tue, 18 May 2004 15:23:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279691#M180208 Sanjay_6 2004-05-18T15:23:56Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279692#M180209 In addition to what Paul said, you should realize that there are TONS of commands that you could put in the sudoers file that could give the user "FULL ROOT" access. <BR /><BR />sudo, if not configured right, is just as bad as giving them the root password. You give me sudo access to your system, and unless you know all the holes, I bet I could get a root shell pretty easy. Tue, 18 May 2004 15:46:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279692#M180209 Scott J. Showalter 2004-05-18T15:46:04Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279693#M180210 Tested this on 11.0, sudo 1.6.7p5:<BR /><BR />Add a Cmnd_Alias like:<BR /><BR />Cmnd_Alias ROOTMAIL=/bin/mail -f /var/mail/root<BR /><BR />(Sorry, tab / space formating is lost)<BR /><BR />Then add ROOTMAIL to your user privilege section. Keep in mind /bin/mail has a shell escape, so it is not secure.<BR /><BR />However if your OPERUSER entry is for real, you are not secure anyway. I really do not like that entry.<BR /><BR />I don't believe in granting more privilege than necessary. Thats the one drawback to sudo: If you want it secure, it is a hassle to admin! Wed, 19 May 2004 07:31:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279693#M180210 Robert True 2004-05-19T07:31:38Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279694#M180211 Opps, forgot to add:<BR /><BR />User must enter the command exactly like the Cmnd_Alias, IE:<BR /><BR />'sudo /bin/mail -f /var/mail/root'<BR /><BR />Rt. Wed, 19 May 2004 07:48:00 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279694#M180211 Robert True 2004-05-19T07:48:00Z https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279695#M180212 Thanks for all of your help. Also, we will now be reviewing the use of sudo! Thu, 03 Jun 2004 07:28:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/reading-root-mail-using-sudo/m-p/3279695#M180212 Debbie Beresford 2004-06-03T07:28:20Z