topic Re: Help on sudo!! in Operating System - HP-UX

Help on sudo!!

ricky2 — Thu, 21 Dec 2006 09:03:35 GMT

Hi,

I want to give some users whith a restricted sudo privelege in order to support their application.
I have added this in the sudoers file as below.
==================================
# User alias specification
User_Alias SMVGG=tina

# User privilege specification
SMVGG ALL=/opt/SM/script/smshut all,\
/opt/SM/bin/smstat,\
=====================================
And when I login as user tina and use sudo su -
it doesnt give the sudo access and gives the error
Sorry, user tina is not allowed to execute '/usr/bin/su -' as root on smvgs09.

Could you please help me out on this?

Thanks in Advance,
Ricky

Re: Help on sudo!!

Ivan Krastev — Thu, 21 Dec 2006 09:08:34 GMT

Try with spaces:

User_Alias SMVGG = tina

regards,
ivan

Re: Help on sudo!!

ricky2 — Thu, 21 Dec 2006 09:11:15 GMT

Hi Ivan,
I had tried this earlier but did not work.
Thanks,
Ricky

Re: Help on sudo!!

Peter Godron — Thu, 21 Dec 2006 09:12:37 GMT

Ricky,
for Configuration Help:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=215352
and
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=961907

Re: Help on sudo!!

ricky2 — Thu, 21 Dec 2006 09:32:54 GMT

Peter,
Thanks for that...but that could not help me out.
rgds,
ricky

Re: Help on sudo!!

Ivan Krastev — Thu, 21 Dec 2006 09:43:38 GMT

Oops , you use "user tina and use sudo su -" but you configured only smshut and smstat.

regards,
ivan

Re: Help on sudo!!

OldSchool — Thu, 21 Dec 2006 09:46:13 GMT

Ricky,

I think the issue may be here:

# User privilege specification
SMVGG ALL=/opt/SM/script/smshut all,\
/opt/SM/bin/smstat,\

I don't think its going to like the blank space between "smshut" and "all". I've never tried it the way you appear to have it set up.

I don't think you can restrict the user to a specific option of a program, either they can run the program or not. *BUT* I could be wrong there

Re: Help on sudo!!

George Liu_4 — Thu, 21 Dec 2006 09:57:14 GMT

make it simple,

add this line in the sudoers

tina ALL="/usr/bin/su -"

Re: Help on sudo!!

Bill Hassell — Thu, 21 Dec 2006 10:11:37 GMT

The line:

> tina ALL="/usr/bin/su -"

is not very useful. su - bypasses sudo's ability to log and contain individual commands. By allowing su -, the user can do anything to the system. You might as well skip sudo and just give the user tina the root password. After all, once tina runs su -, the user can change the root password, remove or reformat active disks, or simply become a member of the rm -r * club. Enumerate the commands you are allowing, including where necessary the allowed parameters. And make sure the scripts tina can execute don't have su - or other privilege elevation command.

Re: Help on sudo!!

ricky2 — Thu, 21 Dec 2006 10:23:35 GMT

Hi George,
I have added the /usr/bin/su - and Iam able to do sudo su - but this is givng the complete root access to the user tina and I want to provide some restricted access.

Re: Help on sudo!!

ricky2 — Thu, 21 Dec 2006 10:37:30 GMT

Hi Bill,

Thanks and I completely agree with you.
I should not add /opt/bin/su -.
I haved specified the commands for the user to execute but they are not executing.

Re: Help on sudo!!

George Liu_4 — Thu, 21 Dec 2006 10:45:37 GMT

It really has no reason to allow a user to do "su -" but just to answer your technical question. If you want to limit a user to do a specifc thing, just put

ALL=/path/to/command

Re: Help on sudo!!

ricky2 — Thu, 21 Dec 2006 11:27:00 GMT

found the solution..added some env settings on the user profile related to the application and finally working now.