HPE Community
Operating System - HP-UX
1753756 Members
4696 Online
108799 Solutions
New Discussion юеВ

CONCERNS IN SUDO

 
oprakash
Frequent Advisor

тАО06-09-2009 11:08 PM

тАО06-09-2009 11:08 PM

CONCERNS IN SUDO

Hi,

Can any suggest me about the sudo user access.

1. I need to give sudo access to a specific user, how should i add it.

2. Sudo user should not do any admin activity like entering into smitty, chgrp, chown etc.

3. How should i allow sudo user to access only one particular filesystem. That is they should not open /opt, /home, /var.
0 Kudos
Reply
3 REPLIES 3
Jeeshan
Honored Contributor

тАО06-09-2009 11:35 PM

тАО06-09-2009 11:35 PM

Re: CONCERNS IN SUDO

>>1. I need to give sudo access to a specific user, how should i add it.

#visudo
in sudoers file add an entry like bellow

oprakash ALL = () NOPASSWD:ALL

>>2. Sudo user should not do any admin activity like entering into smitty, chgrp, chown etc.

oprakash ALL = () NOPASSWD:ALL,!/usr/bin/chgrp, !/usr/bin/chown

>>3. How should i allow sudo user to access only one particular filesystem. That is they should not open /opt, /home, /var.

to gain this facility you have to set chroot jail or define restricted shell to user. With sudo you cannot perform it.
a warrior never quits
0 Kudos
Reply
Sajjad Sahir
Honored Contributor

тАО06-10-2009 01:25 AM

тАО06-10-2009 01:25 AM

Re: CONCERNS IN SUDO

Dear oprakash

1. Prepare the source code for compilation:

Log in as root, make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example:

# mkdir -p /opt/source/sudo
# cd /opt/source/sudo
# cp /tmp/sudo version.tar.gz .

Unzip and untar the source and then change to the directory created by tar:

# gunzip sudo
# tar xvf sudo
# cd sudo-version
At this point, you may like to have a look at the README, INSTALL and FAQ files.


2. Compile the source code and install sudo:

Configure the compilation process for your system:

# ./configure
Compile the source code:


# make
And install the compiled code:

# make install

This install the sudo program into /usr/local/bin, the visudo script (see later) into /usr/local/sbin and the manual page into subdirectories of /usr/local/man.

3. Modify the search path:

If you haven't already done so for other software, you now need to modify the search paths so that the system can find the sudo program and its manual pages. If you're running the CDE windowing system, this is done by editing the file /.dtprofile and adding the following lines (if they aren't already there) to the end of this file:

PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/ccs/bin
MANPATH=$MANPATH:/usr/man/:/usr/local/man

It's advisable to log out and log in again at this point to activate these changes. Make sure that the system can find the sudo program:

# sudo -V
(that's an upper case "V") and that you can display the manual pages:

# man sudo
# man visudo
# man sudoers


4. Configure sudo:

sudo is controlled by its configuration file /etc/sudoers. The program has a rich selection of configuration options and you may like to read the man page for sudoers and examine the sample configuration file which you'll find in sample.sudoers in the source code directory.

The instructions below describe how to create an sudoers file which allows any user to run the /dialup and /hangup scripts defined in Configuring PPP on Solaris to connect to an ISP and allows a particular user to run any command as root.

One potential difficulty is that the /etc/sudoers file must be edited using the visudo program and not directly in your editor of choice. visudo uses the "vi" editor and this means that you need at least a basic understanding of how to use this editor. If you aren't already familiar with vi, you'll have to learn it sooner or later so now's a good time to start! But don't worry if you've never used it before - I'll include enough instruction here to enable you to edit the short file created by the installation process and append a couple of lines to it.

To edit /etc/sudoers, make sure you're logged in as root and type:

# /usr/local/sbin/visudo

This starts the vi editor and displays the initial /etc/sudoers file. vi uses what appear at first sight to be commands that aren't exactly intuitive. If you're not familiar with vi, type the following exactly as it appears and note that commands in vi are case sensitive. So don't type a lower-case "g" when the instructions show an upper-case "G".

Move the cursor to the end of the file by typing an upper-case G:

G

and open a new line just beyond the last line in the file by typing a lower-case o:

o

vi is now in "edit" mode and anything you type is inserted into the file. If you want everyone (all users) to be able to run the /hangup and /dialup scripts, type the following:

ALL ALL=/dialup,/hangup

with a TAB character after the first "ALL". That line tells sudo that all users are allowed to execute the scripts /hangup and /dialup as if they were root.

If you want to give just one user, say jim, the ability to run the scripts, type the following instead:

jim ALL=/dialup,/hangup

You may like to add another line telling sudo that your own personal user is allowed to do anything as root. Press the ENTER key and, if your own personal user is mike, you'd type:

mike ALL=(root) ALL

again with a TAB character after "mike".



Finally, switch vi back into command mode by pressing the ESCAPE key and exit vi by typing:

:wq

followed by ENTER. If you make a mistake at any time, just press the ESCAPE key followed by:

:q!

followed by ENTER and vi will return you to the shell command prompt without making any changes to the file.

5 Using sudo:

sudo is simple to use. To execute a command with root privilege, type:

$ sudo name-of-command

If this is the first time you've used sudo since logging in, sudo will ask for your password. The password required at this point is the user's own password, not the root password. So, if you've logged in as user jane and she wants to start a dialup connection to her ISP, she would type:

# sudo /dialup

and sudo responds:

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:

Jane would then type her password and sudo will run the /dialup script for her with root privilege. If further commands are executed using sudo within 5 minutes, it will not ask for a password again.

But if Jane were to try and execute a command without having the necessary permission (as defined in the /etc/sudoers file), sudo will refuse to run it:

$ sudo vi /etc/passwd

Sorry, user jane is not allowed to execute "/usr/bin/vi /etc/passwd" as root on sunbeam.

In this example, sunbeam is the name of the machine.



If you'd prefer not to have to type a password at all, replace the two lines in /etc/sudoers with:

ALL NOPASSWD: ALL=/dialup,/hangup
mike ALL=(root) NOPASSWD: ALL

Do have a good look through the man page for sudo. The program has powerful features and you may like to use it for other purposes.


thanks and regards

Sajjad Sahir
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

тАО06-10-2009 03:26 AM

тАО06-10-2009 03:26 AM

Re: CONCERNS IN SUDO

Hi,

For AIX download the sudo package from below link
http://aixpdslib.seas.ucla.edu/packages/sudo.html
http://www.ibm.com/servers/aix/products/aixos/linux/download.html

To configure manuals and examples are in below link
http://www.sudo.ws/sudo/man/sudoers.html

Suraj
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.