sudo file configuration

Madhuchakaravar — Mon, 30 Jul 2012 09:13:43 GMT

Cmnd_Alias DB=/usr/bin/su - oracle
User_Alias DBA = testdba
DBA ALL = NOPASSWD: DB

when I login as testdba and /usr/bin/su - oracle it asks for a password.

i dont find amy mistake in this the above sudoers file.

grep testdba /etc/passwd
testdba:6x6S0BB2DST02:7546:765::/home/testdba:/sbin/sh

grep 765 /etc/group
DBA::765:

regards

madhu

Re: sudo file configuration

Patrick Wallek — Mon, 30 Jul 2012 13:25:49 GMT

When you do NOT specify sudo it is just running the 'su' command normally and thus will ask for the oracle password.

You have to preface the command with 'sudo' otherwise the system does not know that it needs to use sudo.

$ sudo /usr/bin/su - oracle

Re: sudo file configuration

Matti_Kurkela — Mon, 30 Jul 2012 13:58:45 GMT

If you run "/usr/bin/su - oracle" as testdba, you are not using sudo at all, and the su command is asking for the password of the "oracle" user, as usual. You should be running "sudo /usr/bin/su - oracle" to make it work.

Login as testdba and run "sudo -l". Type the password if requested. The sudo command should list all the commands testdba is allowed to run. Does it say you're authorized to run the command?

Your sudoers syntax has one error. You should specify which user the command should be allowed to run as.

Without aliases:

testdba ALL = (root) NOPASSWD: /usr/bin/su - oracle

(This also highlights the fact that you're actually allowing testdba to run a single specific command as root. When used, this causes two messages to be logged: first, sudo will log that "testdba" is becoming "root" for the purpose of running "/usr/bin/su - oracle". Then su logs that "root" is becoming "oracle". This is more complex than necessary: sudo could do both steps on its own.)

The same with your aliases included:

Cmnd_Alias DB=/usr/bin/su - oracle
User_Alias DBA = testdba
DBA ALL = (root) NOPASSWD: DB

---------------------------------------

A better configuration might be to "say what you mean". You want to allow testdba to do anything as user oracle. In sudoers syntax, that would be (without aliases):

testdba ALL = (oracle) NOPASSWD: ALL

Or with aliases:

User_Alias DBA = testdba
Runas_Alias ORACLE = oracle
DBA ALL = (ORACLE) NOPASSWD: ALL

With this configuration, the testdba user will have to run "sudo -i -u oracle" to switch to the oracle user.

Now sudo will log this simply as "testdba is becoming oracle to run a shell".

This configuration will also allow testdba to run individual commands as the oracle user, e.g. if the testdba notices that the permissions of the tnsnames.ora are set too tight:

sudo -u oracle chmod a+r /opt/oracle/product/xx.x.x.x/network/admin/tnsnames.ora

When commands like this are used, sudo will create a single clear log entry, saying effectively: "user 'testdba' ran 'chmod a+r /opt/oracle/product/xx.x.x.x/network/admin/tnsnames.ora' as user 'oracle', successfully". If your system has strict logging requirements, this is the format the security auditors will want to see. There will be no ambiguity as to who did what using the "oracle" account.

topic Re: sudo file configuration in Operating System - HP-UX

sudo file configuration

Re: sudo file configuration

Re: sudo file configuration