HPE Community
Operating System - HP-UX
1753779 Members
7634 Online
108799 Solutions
New Discussion

Sudo privealage

 
singh sanjeev
Trusted Contributor

‎09-25-2012 10:19 AM

‎09-25-2012 10:19 AM

Sudo privealage

Hello Admin,

 

 

For business copy script, i have added below line in sudoers.

#########BC_testing#######
User_Alias USER=orafpp,oraepp
USER ALL=(ALL) NOPASSWD:  /opt/exsid27/dbciFPP/exsid_mod_BR.sh,/opt/exsid27/dbciEPP/exsid_mod_BR.sh

 

Does this will allow ora id to execute any root admin account. Or only the script.

 

thank you in advance,

Sanjeev Singh
0 Kudos
Reply
2 REPLIES 2
bobjh
Advisor

‎09-25-2012 03:08 PM

‎09-25-2012 03:08 PM

Re: Sudo privealage

I think it allows accounts orafpp and oraepp to run the listed shell apps., coming from any IP and as any account (including root) without entering the orafpp or oraepp passwords. If the scripts provide a shell escape of some sort, then yes you may be able to run anything on the system. Otherwise you're probably okay.

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎09-26-2012 12:07 AM

‎09-26-2012 12:07 AM

Re: Sudo privealage

bobjh, I'd just like to make one small correction.

 

Sudo does not from which host the user is coming in from: the ability to specify hostnames in the sudoers file is to allow you to maintain a single centralized sudoers file and sync it to all the hosts you have using whatever method you like. Or with newer versions of sudo, you can place the privilege definitions in a LDAP directory too.

 

If a sudoers privilege definition includes a hostname or a Host_Alias, the privilege definition takes effect only if (one of) the hostname(s) listed matches the current hostname of the system. Otherwise the definition will be ignored.

 

If a centralized sudoers file is not used, many admins always put ALL in the hostname field in a local sudoers file, so that the definitions won't stop working if the system hostname is changed.

 

User_Alias USER=orafpp,oraepp
USER ALL=(ALL) NOPASSWD:  /opt/exsid27/dbciFPP/exsid_mod_BR.sh,/opt/exsid27/dbciEPP/exsid_mod_BR.sh

 

So, this will allow users orafpp and oraepp to run the listed scripts on any system this sudoers file is used on. The users can run the script as any user, not just as root. There will be no password check for them.

 

This sudoers configuration will allow the users to specify any command line arguments for those scripts, so if the scripts need arguments, they should handle them very carefully. If the scripts use command line argumets like $1, $2 etc. without quoting, the user might be able to make the scripts execute unintended commands by specifying arguments that include spaces, or semicolons or other special characters.

MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.