topic SUDO ?? in Operating System - HP-UX

SUDO ??

Amit Dixit_2 — Tue, 17 Aug 2004 07:55:40 GMT

Hi,
What is Sudo ? and what is the difference
having multiple UID set to "0" and having
sudo installed on the system.

Is there any other way where you can have
Role Based Access Control (RBAC) under HP-UX

Currently I am having 2 logins with uid "0"
but when I give "ls" command it display
the owner of the file created by mylogin is
root since my login uid is "0" but group is
users ?
why is it so ?

Please anyone explain me why is it so ?

Thanks,
Amit

Re: SUDO ??

MarkSyder — Tue, 17 Aug 2004 07:58:36 GMT

With sudo you can give users a subset of root commands without giving them access to all root commands. Additionally, sudo keeps a log of all tasks carried by users in a sudo session.

Mark Syder (like the drink but spelt different)

Re: SUDO ??

Massimo Bianchi — Tue, 17 Aug 2004 07:59:53 GMT

Hi,
having multiple users with id "0" is a common practice, but not correct.

As in your case, all the files come up as the first user with id "0" in the /etc/passwd, which is root like in your example.

sudo is the right way to let every user, also non root users, to execute privileged commands.

sudo let configured user to run with eid "0".

If you want further control over what users can do, look also at Access Contro List, they can enhance the security a lot.

HTH,
Massimo

Re: SUDO ??

Kent Ostby — Tue, 17 Aug 2004 08:12:06 GMT

You can get sudo off of the Utah site.

Packages for hp-ux are located at:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/

Re: SUDO ??

john kingsley — Tue, 17 Aug 2004 08:14:21 GMT

sudo allows non-root users to run system commands as root. When you configure sudo, you can specify a list of commands, and a list of users who are allowed to use them as root.

By giving a user access to a UID=0 account, you are giving them root access to everything. With sudo, you can give a user root access to a limited number of commands, and you can control which commands they have root access to.

I am not aware of RBAC under HP-UX, but would love to see HP include it in a future release.

The system tracks users by their uid, not by their user name. So, when you have duplicate uids listed in the password file, the system will always associate file ownership with the first user with this uid in the password file.

Re: SUDO ??

Amit Dixit_2 — Tue, 17 Aug 2004 09:09:33 GMT

Hi,
I have downloaded and installed SUDO
doesn anyone have good doc to configure it

Say I am having login "amit"
I want this user can person some specific
application start stop and Informix Install

How can I configure amit through sudo
for the same.

Thanks,
Amit

Re: SUDO ??

Ermin Borovac — Wed, 18 Aug 2004 01:22:31 GMT

sudo and sudoers man pages are very useful.

Here are some quick notes.

To establish access control you first edit sudo config file (called sudoers) with visudo. visudo provides locking (similar to vipw) and also checks sudoers file syntax.

The following sudoers entry enables user amit to run (as root) /sbin/init.d/xfs with stop and start arguments on system called hpux.

Host_Alias HPUX = hpux
Cmnd_Alias XFS_STOP = /sbin/init.d/xfs stop
Cmnd_Alias XFS_START = /sbin/init.d/xfs start

amit HPUX = (root) XFS_STOP, XFS_START

User amit can list allowed commands with sudo -l.

When logged in as amit you can restart xfs as follows. When asked to provide password type password for amit account (not root).

amit@hpux$ sudo /sbin/init.d/xfs stop
amit@hpux$ sudo /sbin/init.d/xfs start

Do not give users sudo access to commands such as vi, chown and chmod, as they can easily get access to root shell.

Re: SUDO ??

Dorothee Singer — Wed, 18 Aug 2004 03:17:07 GMT

hi amit,
there is also a nice intodruction on the following site - for me it was helpful for the first steps (just to understand how it works and so on):

http://www.komar.org/pres/sudo/toc.html

hope this helps!
doro