topic sudo user unable to execute in Operating System - HP-UX

sudo user unable to execute

rdasari — Thu, 10 Sep 2009 19:27:58 GMT

Hi All :

I am getting the following for a sudo user :

"Sorry, user richard is not allowed to execute '/usr/bin/kill -hup 15284' as root on pwpsp."

The sudoers file is set as :

richard ALL=/apps/dlc101b/bin/proshut, /usr/bin/kill

Any help is greatly appreciated.

Regards,

Ramamurthy Dasari

Re: sudo user unable to execute

Jeff_Traigle — Thu, 10 Sep 2009 19:33:44 GMT

Probably a syntax error. That entry doesn't look right to me. Did you use visudo to edit the sudoers file? It'll catch syntax errors nicely. Try:

richard ALL=(root) /apps/dlc101b/bin/proshut, /usr/bin/kill

Of course, giving someone blanket kill privileges like this is pretty dangerous stuff.

Re: sudo user unable to execute

rdasari — Thu, 10 Sep 2009 19:41:55 GMT

Jeff :

Thanks for the quick response. The syntax was correct as posted. I had even tried the way you stated but still getting the same error.

Also what do you mean by blanket kill priviledges.

Thanks & Regards,

Ramamurthy Dasari

Re: sudo user unable to execute

Jeff_Traigle — Thu, 10 Sep 2009 20:09:54 GMT

I seem to recall having some issues having multiple commands directly in the line like that. Maybe my mind playing tricks on me. I always use aliases in sudoers. Keeps things more organized for complex configurations and avoids the problem. Might try something like this and see if you have better luck:

User_Alias SOMEGUY = richard
Cmnd_Alias SOMEGUY_CMNDS = /apps/dlc101b/bin/proshut, /usr/bin/kill

SOMEGUY ALL=(root) SOMEGUY_CMNDS

(You can name the aliases whatever you like.)

As for the danger of giving someone open access to the kill command this way... with no restriction on what they can kill, there's nothing to stop him from killing any process on the system... any OS process, database, application, etc. One typo or malicious execution and the system/database/application could come down in a very unpleasant manner. If there are only certain processes the user should really have a need to kill as root, I'd create a wrapper script to be sure those processes are the only ones they could kill. If all of the processes are owned by a particular non-root user, you could also safeguard the system somewhat better by putting that user in the config instead of root, like this:

Runas_Alias OTHERUSER = somename
SOMEGUY ALL=(OTHERUSER) /usr/bin/kill

Also, be concerned about file and directory permissions for commands you grant access to, especially ones allowed to run as root. The person shouldn't be able to change /apps/dlc101b/bin/proshut by having write permission to it or the directory /apps/dlc101b/bin if they are allowed to run the command as root. That's another avenue for them to do whatever they want to do on the system.