topic Re: sudo allow user to run command as other user in Operating System - HP-UX

sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 09:32:17 GMT

I want to allow a user (fran) to run a job as (pprd)

The command must only be run with specific options (cannot submit command with alt options)

They have to enter their password as well when running the command.

The command is
/var/cluster/caa/script/somejob start xyz

I don't necessarily want fran to be able to su to pprd. Only to run the one command as pprd.

How do I setup the sudoers file. And what would the user type at the command line to invoke the command via sudo.

So far this is what I'm thinking:
## Users allowed to start pprd
User_Alias JSUB_PPRD = fran

# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz

Runas_Alias JOBSPPRD = fran

# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD

Does that look right?
Can this be configured in a simpler fashion?

If fran wanted to run the command via script (logged in as fran )would it simply be:

sudo /var/cluster/caa/script/somejob start xyz

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 09:41:02 GMT

Meant to put this as the Runas Alias

Runas_Alias JOBSPPRD = pprd

and NOT

Runas_Alias JOBSPPRD = fran

Which would change
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD
to
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD

Overall its:

## Users allowed to start pprd
User_Alias JSUB_PPRD = fran

# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz

Runas_Alias JOBSPPRD = pprd

# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD

So same questions from my original post...I've just changed the config

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 09:53:59 GMT

One more change

The last line I think needs to be
JSUB_PPRD PRIV_USER = (JOBSPPRD) JS_PPRD

Instead of
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD

Otherwise user fran isn't associated with the command...am I correct?

Re: sudo allow user to run command as other user

Kenan Erdey — Wed, 18 Jun 2008 10:17:53 GMT

Hi,

User_Alias JSUB_PPRD = fran
Runas_Alias JOBSPPRD = pprd
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz

JSUB_PPRD ALL=(JOBSPPRD) JS_PPRD

in this configuration user fran can invoke command as

sudo /var/cluster/caa/script/somejob start xyz
or if somejobs' path is fran's profile directly can invove command.

if you don't want to ask password for fran, change line:

JSUB_PPRD ALL=(JOBSPPRD)NOPASSWD: JS_PPRD

Kenan.

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 10:34:56 GMT

Host_Alias PRODSVC = host1, host2

User_Alias JSUB_PPRD = fran
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start
Runas_Alias JOBSPPRD = jobspprd
JSUB_PPRD PRODSVC = (JOBSPPRD) JS_PPRD

Note: the xyz argument is no longer needed

But fran can run the command as
/var/cluster/caa/script/somejob start
or
/var/cluster/caa/script/somejob start123

I need the arguement to limited to 'start' only.

I've noticed this user is in another section of the sudoers file.

They belong to the user alias UNIX and then the following spec is at the end of the sudoers file

## Allow UNIX admin to run anything as root or operator
UNIX PRODSVC = (OP)

Does this override my new config thus allowing them to run /var/cluster/caa/script/somejob start123 ?

Thus negating my efforts to restrict the command?

Re: sudo allow user to run command as other user

Kenan Erdey — Wed, 18 Jun 2008 10:47:43 GMT

yes possible.

if fran is operator why are you trying to restrict user ?you can try removing fran user from that grup. and write a line for fran user with his new priviliges.

Kenan.

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 11:41:45 GMT

>>> if fran is operator why are you trying to restrict user

The real objective is when fran runs the command the command has to be executed under the other users id and NOT as fran.

They've tried sudo su - pprd -c /var/cluster/caa/scripts/somejob start xyz but that fails.

Re: sudo allow user to run command as other user

Kenan Erdey — Wed, 18 Jun 2008 11:55:27 GMT

Hi,

try sudo su - pprd -c "/var/cluster/caa/scripts/somejob start xyz"

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 12:16:24 GMT

I'm getting

Sorry, user fran is not allowed to execute '/usr/bin/su - jobspprd -c /var/cluster/caa/scripts/somejob start' as root on serverxyz

Regardless of how I run the command

sudo /.../.../somejob start
sudo - pprd -c /.../.../somejob start
sudo - pprd -c "/.../.../somejob start"

They must belong to another group which allows them to run commands as root. Because the message indicates it's trying to run as root and not pprd.

It's a long sudoers file so I'll just keep trudging through it and try and figure this out.

Re: sudo allow user to run command as other user

Kenan Erdey — Wed, 18 Jun 2008 12:53:58 GMT

Hi,

so you can remove fran user from UNIX group in User_Alias and add a line to the end:

fran = ALL(OP), (pprd) /var/cluster/caa/script/somejob start xyz

Re: sudo allow user to run command as other user

OFC_EDM — Wed, 18 Jun 2008 13:30:59 GMT

In the end the problem lied with how I was calling the command.

Here's the final command

sudo -u pprd su - pprd /var/cluster/caa/script/somejob xyz

Thanks for the help

Re: sudo allow user to run command as other user

dearbei — Wed, 22 Apr 2009 01:51:13 GMT

Hi,
I'm in the process of doing similar set up like this.. Could you please share your complete set up that was working?

thanks,

B.