topic Re: User privileges in Operating System - HP-UX

User privileges

haimi — Tue, 21 Oct 2008 23:26:08 GMT

Hello Geeks,

How can I allow normal user to execute System Admin commands like 'swlist' or 'diskinfo'?

Thanks

Re: User privileges

Jeeshan — Wed, 22 Oct 2008 02:08:16 GMT

you can use SUID bit to swlist or diskinfo command

or you can use SUDO.

Re: User privileges

Suraj K Sankari — Wed, 22 Oct 2008 03:28:15 GMT

Hi,

To configure sudo you need to take this steps.
/usr/sbin/visudo it will open the file /etc/sudoers
put these entry into it
%groupname servername=/usr/sbin/diskinfo,/usr/sbin/swlist
or
username servername=/usr/sbin/diskinfo,/usr/sbin/swlist

Save the file

switch to user username
run
sudo /usr/sbin/diskinfo
it will ask passwd of the user

Suraj

Re: User privileges

Dennis Handly — Wed, 22 Oct 2008 07:06:07 GMT

>System Admin commands like 'swlist'

Normally swlist doesn't need root. You can use swacl to restrict it.

Re: User privileges

Jannik — Wed, 22 Oct 2008 07:31:53 GMT

Compile this small progam:
#include
#include

int main (argc, argv)
int argc;
char **argv;
{
if (setuid (0) == 0)
{
return (system ("yourprogram"));
}
else
{
perror ("setuid");
return (1);
}
}

Make changes yourprogram to say diskinfo or swlist or some other. After the compile

# cc program.c

Change the permissions:

# chmod 4755 a.out

This program is a security risk as anything else that will compromise the execution of privileged programs.
But then so is sudo :-)

Re: User privileges

Grayh — Wed, 22 Oct 2008 11:43:16 GMT

Some of my below discussions should be of great help to you

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1272931

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1275696

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1272698

Re: User privileges

Adam W. — Wed, 22 Oct 2008 11:50:01 GMT

Haimi,
SUDO is your best (and safest) bet here. I use sudo for pretty much all of my users who need to do SPECIFIC tasks. If you need something more general SUDO may not be the way to go, but for specific commands and access, it is hard to beat SUDO.