https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962042#M415893 I have user nopassword option. Thu, 23 Feb 2006 00:51:08 GMT Khashru 2006-02-23T00:51:08Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962036#M415887 i have installed sudo in a hpux 11i trusted system.i configured so that my helpdesk user can change password. while they go for changing password most of the time it is asking for the password, not all time. how i can disable it. what is the policy for askinf password. Wed, 22 Feb 2006 23:07:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962036#M415887 Khashru 2006-02-22T23:07:30Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962037#M415888 hi khashru,<BR /><BR /><BR />can you post the sudoers file?<BR /><BR />sudo can be configured to behave in just this fashion. There are options to require passwords sometimes and to not require passwords at other times.<BR /><BR />regards<BR />yogeeraj Wed, 22 Feb 2006 23:31:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962037#M415888 Yogeeraj_1 2006-02-22T23:31:50Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962038#M415889 Hi Khashru , <BR /><BR /> try using the key word "NOPASSWD" in you /etc/sudoers file. If you paste ur sudoers file in this thread, we could be of more help ,as to where we need to tag that Keyword.<BR /><BR />Regards,<BR />Senthil Wed, 22 Feb 2006 23:40:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962038#M415889 Senthil Kumar .A_1 2006-02-22T23:40:08Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962039#M415890 Hi Khashru, <BR /><BR />This link should help you..<BR /><BR /><A href="http://www.afp548.com/article.php?story=20051025103428232" target="_blank">http://www.afp548.com/article.php?story=20051025103428232</A><BR />[Essential Sudoers]<BR /><BR />-Arun Wed, 22 Feb 2006 23:48:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962039#M415890 Arunvijai_4 2006-02-22T23:48:31Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962040#M415891 Hi Khashru,<BR /><BR />When a user runs sudo, sudo creates a timestamp file for that user with an expiry of 5 minutes. If the user's timestamp file is younger than 5 minutes (default value), sudo will allow that user to run the command without a password. If the timesatmp is older than 5 minutes, the user has to supply their password.<BR /><BR /><BR />If you want the helpdesk user to only ever run "sudo passwd" without being prompted for their password, you will need to edit the "sudoers" file. <BR /><BR />You will need something like the following entries:<BR /><BR /># Define a user group<BR />User_Alias HELPDESK = username1,username2<BR /># Define a command group<BR />Cmnd_Alias PASSWD = /usr/bin/passwd <BR /># Define a host group<BR />Host_Alias PROD = hpbox1, hpbox2<BR /># Define what command group(s) a user group may run, on which hosts and how<BR /># Note that passwd root is denied.<BR />HELPDESK PROD = NOPASSWD: PASSWD !/usr/bin/passwd root<BR /><BR />In this example, username1 and username2 may run the passwd command for any user except root on hosts hpbox1, and hpbox2.<BR /><BR /><BR />You can also reset the value of the timestamp timeoout in the sudoers file. Setting it to 0 will force sudo to ALWAYS prompt for a passwd.<BR /><BR />eg:<BR />timestamp_timeout = 0<BR /><BR /><BR />Ensure that you only ever edit the sudoers file via the visudo utility, as it performs a syntax check on the sudoers file after you save your changes, but before writing the file to its location in the filesystem.<BR /><BR />DISCLAIMER <BR />==========<BR />Because sudo is one of those utilities that can bypass standard security measures, it is not wise to go making changes to the default behaviour unless you really understand what you are doing. I would strongly advise you to read the sudo(1m), sudoers(4) and visudo(1m) manpage carefully before turning off password prompting for your helpdesk staff. Thu, 23 Feb 2006 00:06:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962040#M415891 blubrick 2006-02-23T00:06:47Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962041#M415892 hi again,<BR /><BR />I would also suggest that you run the configure with this option: --disable-root-sudo <BR /><BR />By doing this, you won't get in a situtation where someone can do a sudo sudo /bin/sh and become root... The INSTALL file packaged with sudo has many other options that you can also review...<BR /><BR />You must be careful about the permissions you giving people with sudo. For instance, if you give someone ALL:/usr/bin/chmod or ALL:/usr/bin/chown, they will be able to take over any file on the system, including /etc/sudoers. <BR /><BR />Hence as a general rule, before you give a user sudo premissions, ask yourself: "Does this person REALLY need to run this command as root in order to do their job." <BR /><BR />You can also set sudo to track the messages by altering /etc/syslog.conf. (You may as well send the messages to a totally different machine to make it very difficult for a user to cover their 'sudo tracks'.)<BR /><BR />One preventive measure will be to also copy the sudo executible to /usr/local/bin/ and redirect the users there via /etc/PATH. Then if whatever directory sudo is found in gets corrupted either accidently or on purpose, sudo still works.<BR /><BR />hope this helps too!<BR /><BR />kind regards<BR />yogeeraj Thu, 23 Feb 2006 00:49:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962041#M415892 Yogeeraj_1 2006-02-23T00:49:59Z https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962042#M415893 I have user nopassword option. Thu, 23 Feb 2006 00:51:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/sudo-password/m-p/4962042#M415893 Khashru 2006-02-23T00:51:08Z