topic Re: Sudoers file in Operating System - HP-UX

Sudoers file

ozas — Fri, 21 Jan 2011 15:20:02 GMT

Hi,

Please just a quick one. Does any one know how I can restrict users from being able to switch to root in sudoers file??
Presently the users are defined in the sudoers file and could switch to another user without password but I do not want them to be able to switch to root.

Re: Sudoers file

Patrick Wallek — Fri, 21 Jan 2011 15:35:32 GMT

Use a command alias like this:

Cmnd_Alias SU=!/usr/bin/su â , !/usr/bin/su *root*

Add this to each user and they should not be able to su to root.

Re: Sudoers file

ozas — Fri, 21 Jan 2011 16:01:41 GMT

I have tried that before it did not work.
See below my sudoers file, maybe I need to change anything.

This is the sudoers file:

# User_Alias

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe,r032ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe

#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=(ALL) NOPASSWD: ALL
WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

What I want is that the users in WAS should not be ble to switch to root,
but they should be able to switch to user "wasdevadmin".
Only users in SUPPORT should be able to switch to root.

Re: Sudoers file

Jeff_Traigle — Fri, 21 Jan 2011 16:14:48 GMT

> WAS ALL=(ALL) NOPASSWD: ALL
> WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

The first line is saying to allow the WAS users to run any command on any host as any user. The second line is redundantly saying to allow WAS users to run the su commands specified on all hosts as root. You don't have anything restricting them from running su to root as a previous post stated to do.

Re: Sudoers file

Patrick Wallek — Fri, 21 Jan 2011 16:15:34 GMT

What about the following:

WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

You also have 2 lines for WAS. I don't remember which will take priority, but the 2 may be conflicting.

What happens if you comment out the first WAS line?

Re: Sudoers file

ofure — Fri, 21 Jan 2011 17:18:22 GMT

Thanks for your prompt reply. This has partly resolved the issue. At least users in WAS cannot su to root again but now the WAS cannot switch to wasdevadmin user.
I want a situation where they can switch to wasdevadmin without been prompted for a password.

Regards

Re: Sudoers file

Patrick Wallek — Fri, 21 Jan 2011 17:52:13 GMT

What does your sudoers file look like now?

Re: Sudoers file

Matti_Kurkela — Fri, 21 Jan 2011 21:06:34 GMT

> I want a situation where they [= the users in sudo group WAS] can switch to wasdevadmin without been prompted for a password.

You need this line in your sudoers file:

WAS ALL=(wasdevadmin) NOPASSWD: ALL

Then tell your users to use the sudo command like this:

sudo -H -u wasdevadmin -i
(to run a shell as wasdevadmin; equivalent to "sudo su - wasdevadmin")

...or like this:

sudo -H -u wasdevadmin
(to run as wasdevadmin and then continue the session as themselves)

MK

Re: Sudoers file

ofure — Sat, 22 Jan 2011 11:41:47 GMT

Below is how my sudoers file now look:

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
WAS ALL=(wasdevadmin) NOPASSWD: ALL

But the users in WAS still cannot switch to wasdevadmin account. I want the users in WAS to be able to do this without prompting for password. Thanks.
Regards.

Re: Sudoers file

INH — Sun, 23 Jan 2011 04:54:27 GMT

Remove the user name you dont wantthem to do sudo to root in sudoers file

if you have to grant specfic access you can grant in sudoers file for required users. by defining user alis, command alias and host alias for those users

Regards,
INH

Re: Sudoers file

ofure — Mon, 24 Jan 2011 11:13:23 GMT

The challenge I have now is that I want the users in WAS to be able to switch to the account wasdevadmin without prompting for password.
I have tried this below but did not work.

WAS ALL=(wasdevadmin) NOPASSWD: ALL

Regards,

Re: Sudoers file

Matti_Kurkela — Mon, 24 Jan 2011 15:49:55 GMT

> WAS ALL=(wasdevadmin) NOPASSWD: ALL

When you use this sudoers line, your user *must* use "sudo -u wasdevadmin -i" or similar sudo command to become wasdevadmin. The "-H" option is optional, but probably in line with the user's expectations.

With this sudoers line, a command like "sudo su wasdevadmin" or "sudo su - wasdevadmin" will *not* work. This is because these commands first use sudo to become root, then use su to become the target user. Sudo can do it in one step - but it requires that the user uses the correct syntax.

MK

Re: Sudoers file

ofure — Thu, 17 Feb 2011 10:37:51 GMT

Hi All,

When I type this:
sudo -u wasdevadmin -i
it works without prompting me for password but it is a long command. I want to be able to type
su - wasdevadmin and for it to call up
sudo -u wasdevadmin -i

Presently, I have this configuration:

#cd /bin
# ls -l su*
root root 45 Feb 16 17:17 su
root root 28336 Oct 30 2008 su.original

# cat su
sudo su.original $@

So presently when I type su -, it call up sudo su.original, which works fine for my switching to root access.
How can I also have:
"sudo -u wasdevadmin -i" equal to "su - wasdevadmin"

Thanks.

Re: Sudoers file

ofure — Thu, 17 Feb 2011 12:24:30 GMT

I have resolved this by creating an alias for wasdevadmin.

Thanks all.