topic Re: Addind users to sudoers in Operating System - HP-UX

Addind users to sudoers

Charles Keyser — Mon, 11 Aug 2008 11:27:44 GMT

Question about sudoers If I add the Help Desk in to the sudoers file (see below).
Will this allow then to run the script with root privileges or do I need to add
/usr/lbin/modprpw -x
Also I will need them to run commands to cancel print jobs
In the sudoers file allowing the Help Desk authorization to run this as root?

drt9986 ALL=(ALL) NOPASSWD: ALL
cjk1402 ALL=(OP) NOPASSWD: ALL
jhf1366 ALL=(OP) NOPASSWD: ALL
HelpDesk ALL=(OP) NOPASSWD: ALL

Thanks
CJ

Re: Addind users to sudoers

Kenan Erdey — Mon, 11 Aug 2008 11:39:50 GMT

Hi,

in this configuration you give whole root permission. instead just give command paths what you want them to run like:

drt9986 ALL=(ALL) NOPASSWD: <script_path>, /usr/bin/cancel

Kenan.

Re: Addind users to sudoers

Court Campbell — Mon, 11 Aug 2008 11:44:27 GMT

Well, if root is in the OP group then the help desk can run any and all commands as root without a password. So they are basically root.

Re: Addind users to sudoers

Charles Keyser — Mon, 11 Aug 2008 11:49:52 GMT

Thanks all

Court

If I understand you correctly, this will allow the Help Desk to logon as Help Desk and execute all commands that are on my Help Desk Screen, see below

HelpDesk ALL=(OP) NOPASSWD: ALL

SCREEN SELECTIONS

1. Display printer status / print jobs.
a. Enter lpstat -p to view all printers
b. Enter lpstat -o to view all print request

2. Cancel a print job.

3. Cancel ALL print jobs for a printer.

4. Unlockes and Resets User Passwords
NOTE: A number or a group of letters will show on the screen, write down and provide this information to the user

5. This will execute the TOP command to look at the high load average on the servers. Monitoring purposes
NOTE: Control C breaks the process and returns to the Main Menu

6. EXIT this program.

Re: Addind users to sudoers

Court Campbell — Mon, 11 Aug 2008 11:54:58 GMT

Yes, but if they can exit out of the menu they can do whatever they want, ie, sudo rm -fr /*. That is a too much power for the help desk. You should only give them access to what they need. I would suggest you look up command aliases. And only allow them what they need. Otherwise it is just security through obscurity.

Re: Addind users to sudoers

Charles Keyser — Mon, 11 Aug 2008 13:16:21 GMT

Court

Thanks. I have written the script so they can not break out of it. I will set it up and test it on the servers they need to access. Thanks again 10++++ for you

Re: Addind users to sudoers

Charles Keyser — Tue, 12 Aug 2008 10:49:46 GMT

Question on the HelpDesk as adding into the sudoers

I was testing my script and found that if I eneter root or oracle on the line for password change (see below) It can be changed. How would I enter this in the sudoers to exclude root and oracle?

4. Unlockes and Resets User Passwords
NOTE: A number or a group of letters will show on the screen, write down and provide this information to the user

Re: Addind users to sudoers

Kenan Erdey — Tue, 12 Aug 2008 10:53:50 GMT

hi,

add commands to exclude:

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle

Re: Addind users to sudoers

Charles Keyser — Mon, 18 Aug 2008 16:22:23 GMT

I have added the line to the sudoers using visudo

Helpdesk logon is set up and script is in place , when they logon and run the script is says ou must be supeuser, did I miss something when I added the line? Thanks

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle

Re: Addind users to sudoers

Court Campbell — Mon, 18 Aug 2008 16:33:27 GMT

Nothing personal but you might want to read up on the sudoers file.

From: http://www.gratisoft.us/sudo/man/sudoers.html

It is generally not effective to ``subtract'' commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

Re: Addind users to sudoers

Court Campbell — Mon, 18 Aug 2008 16:35:38 GMT

also, does your script have sudo before the specific commands?

Re: Addind users to sudoers

Charles Keyser — Mon, 18 Aug 2008 16:44:33 GMT

Court

Here is the command line and no it does not have the sudo

4) echo "Username to modify \c"; read USER
TESTUSER=`awk -v USER=${USER} -F: '$1~USER { print $1 }' /etc/passwd`
if test "${USER}" != "${TESTUSER}"
then
echo "${USER} is invalid!"
echo "Press [ENTER] to continue. \c"
read NOTHING
else
#This command looks at the account if it has a password liftime expired it will reset the account and enable it
/usr/lbin/modprpw -x ${USER}
sleep 10

Re: Addind users to sudoers

James R. Ferguson — Mon, 18 Aug 2008 16:52:09 GMT

Hi Charles:

The '/usr/lbin/modprpw' command requires you to be root to execute.

Regards!

...JRF...

Re: Addind users to sudoers

Charles Keyser — Mon, 18 Aug 2008 16:55:31 GMT

Thanks I researched it modified the script, tested it, works fine now. I appreciate your input

CJ

Re: Addind users to sudoers

Charles Keyser — Tue, 26 Aug 2008 12:36:53 GMT

I would like to address the script again. Below is the line from the script, below that is the sudoers line. The script works fine, when I execute the script to change the passwords that works fine. However when I execute it again to change reset ags1643, I should not be able to do it since it is commented in sudoers not to be changed. This is not working, is there something I missed in the soders command line to exclude root, oracle and ags1643 Thanks -CJ

echo "Username to modify \c"; read USER
TESTUSER=`awk -v USER=${USER} -F: '$1~USER { print $1 }' /etc/passwd`
if test "${USER}" != "${TESTUSER}"
then
echo "${USER} is invalid!"
echo "Press [ENTER] to continue. \c"
read NOTHING
else
#This command looks at the account if it has a password liftime expired it will reset the account and enable it
sudo /usr/lbin/modprpw -x ${USER}
sleep 10

SUDOERS
HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle, !/usr/bin/passwd ags1643

Re: Addind users to sudoers

Heironimus — Tue, 26 Aug 2008 15:39:31 GMT

The sudoers entry you pasted only tries to prevent the specific command "/usr/bin/passwd ags1643". The fragment of script you pasted is running /usr/lbin/modprpw, not /usr/bin/passwd.

Re: Addind users to sudoers

Charles Keyser — Tue, 26 Aug 2008 17:39:15 GMT

If I understand you correctly where I user/bin/modprpw I should replace with usr/bin/passwd

Then the sudoers file should fine?

Correct?

One other question, I want to trap the CTR C
In my script I have trap ' ' INT, however when I do a CTR C (and I am still testing my script)
When I select number 6 on my script see below, I am taken to a $(prompt) I am trying to avoid any breakouts in the script that would put me at a prompt Thank -CJ

6*|Qq|bye|Ee ) print "Quitting! See You Later, $(whoami)" ; exit ;;

Re: Addind users to sudoers

James R. Ferguson — Tue, 26 Aug 2008 17:50:29 GMT

Hi Charles:

Trapping the control_C as you showed is fine, but this isn't going to prevent your script (upon) 'exit' from returning you to a shell prompt, *or* for that matter from a smart user using a piped 'more' to enter a shell.

You can either 'exec' your script from a login profile --- which means that your environment becomes your script and when you exit that, you are logged off;

OR:

You can replace the definition of the account's "shell" in '/etc/passwd' with the full patch of your script.

Either solution above, means that an 'exit' terminates your script AND the user's login session; AND that the user cannot enter a shell.

Regards!

...JRF...

Re: Addind users to sudoers

Charles Keyser — Tue, 26 Aug 2008 18:04:42 GMT

Thanks that worked great, I am not able to breakout, my peers are testing the script also.

Your thoughts on the sudoers file, last thread

Thanks

-CJ

Re: Addind users to sudoers

Charles Keyser — Wed, 27 Aug 2008 13:19:07 GMT

Sudo question, last comment

The sudoers entry you pasted only tries to prevent the specific command "/usr/bin/passwd ags1643". The fragment of script you pasted is running /usr/lbin/modprpw, not /usr/bin/passwd.

I have changed the sudo file (see below)
However when I run my script I am still abe to change the password. Any suggestions?
Below is the script line.

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle, !/usr/bin/passwd ajh1809

Script line
sudo passwd ${USER}

Thanks

-CJ