HPE Community
Operating System - HP-UX
1754014 Members
7499 Online
108811 Solutions
New Discussion юеВ

Re: Sudo on HP-UX

 
SOLVED
Go to solution
oza
Advisor

тАО04-06-2010 06:12 AM

тАО04-06-2010 06:12 AM

Sudo on HP-UX

I have alredy configured sudo on my HP-UX system, which works ok but whenever I tried to switch to another user I received the following error:

$ sudo su -
gbaheq08:/ #
gbaheq08:/ # su - sched
You are already root, you don't need to use sudo.

This works perfectly well with my Linux, but unable to do the same with HP-UX. Any help will be appreciated.

0 Kudos
8 REPLIES 8
Matti_Kurkela
Honored Contributor

тАО04-06-2010 06:46 AM

тАО04-06-2010 06:46 AM

Re: Sudo on HP-UX

Welcome to ITRC Forums!

> $ sudo su -

This causes sudo to switch you to root, then runs "su -" to switch you from root to root, re-creating the environment settings. This seems like a tautology. If clarity of security logs is important, and your version of sudo is new enough, a simple "sudo -i" will give you a login-like root session. But I digress...


> gbaheq08:/ # su - sched
> You are already root, you don't need to use sudo.

You're probably not using the standard /usr/bin/su, but instead some local script that is designed to promote the use of sudo instead of su.

Run "whence su" to find the command that actually gets executed.
Then "file $(whence su)" to see whether it's a binary or a script.

And if applicable, talk with any other and/or previous HP-UX sysadmins at your site. Your site might have some configuration policies you would need to know. If the system was installed from an Ignite server or a Golden Image, some site-specific customizations may have been included to the installation sources.

MK
MK
0 Kudos
TTr
Honored Contributor

тАО04-06-2010 06:54 AM

тАО04-06-2010 06:54 AM

Re: Sudo on HP-UX

What are the sudo versions in your Linux and HP-UX servers?

Based on the sudo.c code http://www.opensource.apple.com/source/sudo/sudo-10/sudo/sudo.c root is not allowed to run sudo. The first command "sudo su - " does not exit so technically the "su - sched" is run by sudo and sudo does not allow root to run it.

Are you saying that the exact same commands run differently in Linux? That's why I am asking to check your sudo versions. Unless the "su -" behaves differently in Linux than in hp-ux.
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-06-2010 10:38 PM

тАО04-06-2010 10:38 PM

Re: Sudo on HP-UX

> Based on the sudo.c code http://www.opensource.apple.com/source/sudo/sudo-10/sudo/sudo.c root is not allowed to run sudo.

It is configurable.

Whether root can run sudo or not depends on the state of the code flag I_ROOT_SUDO, which is controlled by the configuration flag "root_sudo" in the sudoers file. In most sudo packages distributed for HP-UX, the use of sudo by root is enabled by default.

> The first command "sudo su - " does not exit so technically the "su - sched" is run by sudo and sudo does not allow root to run it.

More accurately, the first "sudo" in "sudo su -" is running "su -", which is running root's shell (in HP-UX, that's /sbin/sh), and *that shell* is running the command "su - sched" which should run su, not sudo.

But the error message reveals it apparently somehow ends up running sudo again, perhaps because of some local customization we cannot see.

The first "sudo" does not exit, that's true. But "sudo" by itself does not display any prompts: it needs a shell for that.

If you don't believe me, run this command:
UNIX95=1 ps -Hef

Then find the sudo session and look at the hierarchy of processes.

MK
MK
0 Kudos
oza
Advisor

тАО04-06-2010 11:07 PM

тАО04-06-2010 11:07 PM

Re: Sudo on HP-UX

Probably I need to explain myself in a better way.

I have configured sudo to either run on the command su - or sudo su - because some aplication have inbuilt su - so you dont have to put your password the second time.

On the Linux box which works perfectly ok. This are my logon details
-bash-3.00$ su -
[root@gbahevl181 ~]#
[root@gbahevl181 ~]# su - h070ahe
-sh-3.00$ pwd
/home/h070ahe

[root@gbahevl181 ~]# which sudo
/usr/bin/sudo
[root@gbahevl181 ~]# cd /bin
[root@gbahevl181 bin]# ls -l su*
-rwsr-sr-x 1 root root 22 Mar 23 15:26 su
-rwsr-xr-x 1 root root 60820 Oct 4 2006 su.original
[root@gbahevl181 bin]# cat su
sudo su.original "$@"

On the HP-UX box:
$ pwd
/home/D060AHE
$ su -
gbaheu65:/ #
gbaheu65:/ # which sudo
/usr/local/bin/sudo
gbaheu65:/ # whence su
/usr/bin/su

gbaheu65:/ # cd /bin
gbaheu65:/bin # ls -l su*
-rwsrwsrwx 1 root sys 25 Mar 31 09:10 su
-r-sr-xr-x 1 root bin 28672 Mar 8 2006 su.original
gbaheu65:/bin # cat su
sudo su.original "$@"

gbaheu65:/ # su - H070AHE
You are already root, you don't need to use sudo.
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-06-2010 11:58 PM

тАО04-06-2010 11:58 PM

Solution

Re: Sudo on HP-UX

So when you enter the command:

> gbaheu65:/ # su - H070AHE

The actual command that gets executed will be:

sudo /usr/bin/su.original - H070AHE

So, the problem is in the sudoers file.

Either your HP-UX sudoers file contains a line like:

Defaults !root_sudo

or your HP-UX sudo has been set up to not allow root to use sudo as a compile-time default. (If that's the case, override the default by adding "Defaults root_sudo" to your sudoers file.)

In Linux, sudo apparently uses developer's "factory defaults", and root_sudo is enabled by default.

MK
MK
0 Kudos
oza
Advisor

тАО04-07-2010 12:44 AM

тАО04-07-2010 12:44 AM

Re: Sudo on HP-UX

Hi Matti,
Thanks. I added "Defaults root_sudo" to the /etc/sudoers file and it works perfectly. Have a nice day.
0 Kudos
Taifur
Respected Contributor

тАО04-07-2010 03:13 AM

тАО04-07-2010 03:13 AM

Re: Sudo on HP-UX


Hi,

Please find the link below
http://www.gratisoft.us/sudo/man/sudo.html

Cheers//
Taifur
0 Kudos
oza
Advisor

тАО05-17-2010 06:57 AM

тАО05-17-2010 06:57 AM

Re: Sudo on HP-UX

I editted the /etc/sudoers file to include:

Defaults root_sudo
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.