HPE Community
Operating System - HP-UX
1753760 Members
4990 Online
108799 Solutions
New Discussion юеВ

Re: sudo allow user to run command as other user

 
SOLVED
Go to solution
OFC_EDM
Respected Contributor

тАО06-18-2008 02:32 AM

тАО06-18-2008 02:32 AM

sudo allow user to run command as other user

I want to allow a user (fran) to run a job as (pprd)

The command must only be run with specific options (cannot submit command with alt options)

They have to enter their password as well when running the command.

The command is
/var/cluster/caa/script/somejob start xyz

I don't necessarily want fran to be able to su to pprd. Only to run the one command as pprd.

How do I setup the sudoers file. And what would the user type at the command line to invoke the command via sudo.

So far this is what I'm thinking:
## Users allowed to start pprd
User_Alias JSUB_PPRD = fran

# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz

Runas_Alias JOBSPPRD = fran

# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD

Does that look right?
Can this be configured in a simpler fashion?

If fran wanted to run the command via script (logged in as fran )would it simply be:

sudo /var/cluster/caa/script/somejob start xyz

The Devil is in the detail.
0 Kudos
11 REPLIES 11
OFC_EDM
Respected Contributor

тАО06-18-2008 02:41 AM

тАО06-18-2008 02:41 AM

Re: sudo allow user to run command as other user

Meant to put this as the Runas Alias

Runas_Alias JOBSPPRD = pprd

and NOT

Runas_Alias JOBSPPRD = fran

Which would change
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD
to
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD

Overall its:

## Users allowed to start pprd
User_Alias JSUB_PPRD = fran

# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz

Runas_Alias JOBSPPRD = pprd

# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD

So same questions from my original post...I've just changed the config
The Devil is in the detail.
0 Kudos
OFC_EDM
Respected Contributor

тАО06-18-2008 02:53 AM

тАО06-18-2008 02:53 AM

Re: sudo allow user to run command as other user

One more change

The last line I think needs to be
JSUB_PPRD PRIV_USER = (JOBSPPRD) JS_PPRD

Instead of
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD

Otherwise user fran isn't associated with the command...am I correct?

The Devil is in the detail.
0 Kudos
Kenan Erdey
Honored Contributor

тАО06-18-2008 03:17 AM

тАО06-18-2008 03:17 AM

Solution

Re: sudo allow user to run command as other user

Hi,

User_Alias JSUB_PPRD = fran
Runas_Alias JOBSPPRD = pprd
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz



JSUB_PPRD ALL=(JOBSPPRD) JS_PPRD

in this configuration user fran can invoke command as

sudo /var/cluster/caa/script/somejob start xyz
or if somejobs' path is fran's profile directly can invove command.

if you don't want to ask password for fran, change line:

JSUB_PPRD ALL=(JOBSPPRD)NOPASSWD: JS_PPRD

Kenan.

Computers have lots of memory but no imagination
0 Kudos
OFC_EDM
Respected Contributor

тАО06-18-2008 03:34 AM

тАО06-18-2008 03:34 AM

Re: sudo allow user to run command as other user

Host_Alias PRODSVC = host1, host2

User_Alias JSUB_PPRD = fran
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start
Runas_Alias JOBSPPRD = jobspprd
JSUB_PPRD PRODSVC = (JOBSPPRD) JS_PPRD

Note: the xyz argument is no longer needed

But fran can run the command as
/var/cluster/caa/script/somejob start
or
/var/cluster/caa/script/somejob start123

I need the arguement to limited to 'start' only.

I've noticed this user is in another section of the sudoers file.

They belong to the user alias UNIX and then the following spec is at the end of the sudoers file

## Allow UNIX admin to run anything as root or operator
UNIX PRODSVC = (OP)

Does this override my new config thus allowing them to run /var/cluster/caa/script/somejob start123 ?

Thus negating my efforts to restrict the command?


The Devil is in the detail.
0 Kudos
Kenan Erdey
Honored Contributor

тАО06-18-2008 03:47 AM

тАО06-18-2008 03:47 AM

Re: sudo allow user to run command as other user

yes possible.

if fran is operator why are you trying to restrict user ?you can try removing fran user from that grup. and write a line for fran user with his new priviliges.

Kenan.
Computers have lots of memory but no imagination
0 Kudos
OFC_EDM
Respected Contributor

тАО06-18-2008 04:41 AM

тАО06-18-2008 04:41 AM

Re: sudo allow user to run command as other user

>>> if fran is operator why are you trying to restrict user

The real objective is when fran runs the command the command has to be executed under the other users id and NOT as fran.

They've tried sudo su - pprd -c /var/cluster/caa/scripts/somejob start xyz but that fails.
The Devil is in the detail.
0 Kudos
Kenan Erdey
Honored Contributor

тАО06-18-2008 04:55 AM

тАО06-18-2008 04:55 AM

Re: sudo allow user to run command as other user

Hi,

try sudo su - pprd -c "/var/cluster/caa/scripts/somejob start xyz"

Computers have lots of memory but no imagination
0 Kudos
OFC_EDM
Respected Contributor

тАО06-18-2008 05:16 AM

тАО06-18-2008 05:16 AM

Re: sudo allow user to run command as other user

I'm getting

Sorry, user fran is not allowed to execute '/usr/bin/su - jobspprd -c /var/cluster/caa/scripts/somejob start' as root on serverxyz

Regardless of how I run the command

sudo /.../.../somejob start
sudo - pprd -c /.../.../somejob start
sudo - pprd -c "/.../.../somejob start"

They must belong to another group which allows them to run commands as root. Because the message indicates it's trying to run as root and not pprd.

It's a long sudoers file so I'll just keep trudging through it and try and figure this out.
The Devil is in the detail.
0 Kudos
Kenan Erdey
Honored Contributor

тАО06-18-2008 05:53 AM

тАО06-18-2008 05:53 AM

Re: sudo allow user to run command as other user

Hi,

so you can remove fran user from UNIX group in User_Alias and add a line to the end:

fran = ALL(OP), (pprd) /var/cluster/caa/script/somejob start xyz
Computers have lots of memory but no imagination
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.