cancel
Showing results for 
Search instead for 
Did you mean: 

sudo file configuration

 

sudo file configuration

Hi

 

Cmnd_Alias DB=/usr/bin/su - oracle
User_Alias DBA = testdba
DBA ALL = NOPASSWD: DB

 

when I login as testdba and /usr/bin/su - oracle it asks for a password.

 

i dont find amy mistake in this the above sudoers file.

 

grep testdba /etc/passwd
testdba:6x6S0BB2DST02:7546:765::/home/testdba:/sbin/sh

grep 765 /etc/group
DBA::765:

regards

 

madhu

 

2 REPLIES
Patrick Wallek
Honored Contributor

Re: sudo file configuration

 When you do NOT specify sudo it is just running the 'su' command normally and thus will ask for the oracle password.

 

You have to preface the command with 'sudo' otherwise the system does not know that it needs to use sudo.

 

$ sudo /usr/bin/su - oracle

 

Matti_Kurkela
Honored Contributor

Re: sudo file configuration

If you run "/usr/bin/su - oracle" as testdba, you are not using sudo at all, and the su command is asking for the password of the "oracle" user, as usual. You should be running "sudo /usr/bin/su - oracle" to make it work.

 

Login as testdba and run "sudo -l". Type the password if requested. The sudo command should list all the commands testdba is allowed to run. Does it say you're authorized to run the command?

 

Your sudoers syntax has one error. You should specify which user the command should be allowed to run as.

 

Without aliases:

testdba ALL = (root) NOPASSWD: /usr/bin/su - oracle

 (This also highlights the fact that you're actually allowing testdba to run a single specific command as root. When used, this causes two messages to be logged: first, sudo will log that "testdba" is becoming "root" for the purpose of running "/usr/bin/su - oracle". Then su logs that "root" is becoming "oracle". This is more complex than necessary: sudo could do both steps on its own.)

 

The same with your aliases included:

Cmnd_Alias DB=/usr/bin/su - oracle
User_Alias DBA = testdba
DBA ALL = (root) NOPASSWD: DB

 

---------------------------------------

 

A better configuration might be to "say what you mean". You want to allow testdba to do anything as user oracle. In sudoers syntax, that would be (without aliases):

testdba ALL = (oracle) NOPASSWD: ALL

 Or with aliases:

User_Alias DBA = testdba
Runas_Alias ORACLE = oracle
DBA ALL = (ORACLE) NOPASSWD: ALL

With this configuration, the testdba user will have to run "sudo -i -u oracle" to switch to the oracle user.

Now sudo will log this simply as "testdba is becoming oracle to run a shell".

 

This configuration will also allow testdba to run individual commands as the oracle user, e.g. if the testdba notices that the permissions of the tnsnames.ora are set too tight:

sudo -u oracle chmod a+r /opt/oracle/product/xx.x.x.x/network/admin/tnsnames.ora

 When commands like this are used, sudo will create a single clear log entry, saying effectively: "user 'testdba' ran 'chmod a+r /opt/oracle/product/xx.x.x.x/network/admin/tnsnames.ora' as user 'oracle', successfully". If your system has strict logging requirements, this is the format the security auditors will want to see. There will be no ambiguity as to who did what using the "oracle" account.

MK