- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: sudo allow user to run command as other user
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 02:32 AM
тАО06-18-2008 02:32 AM
The command must only be run with specific options (cannot submit command with alt options)
They have to enter their password as well when running the command.
The command is
/var/cluster/caa/script/somejob start xyz
I don't necessarily want fran to be able to su to pprd. Only to run the one command as pprd.
How do I setup the sudoers file. And what would the user type at the command line to invoke the command via sudo.
So far this is what I'm thinking:
## Users allowed to start pprd
User_Alias JSUB_PPRD = fran
# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz
Runas_Alias JOBSPPRD = fran
# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD
Does that look right?
Can this be configured in a simpler fashion?
If fran wanted to run the command via script (logged in as fran )would it simply be:
sudo /var/cluster/caa/script/somejob start xyz
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 02:41 AM
тАО06-18-2008 02:41 AM
Re: sudo allow user to run command as other user
Runas_Alias JOBSPPRD = pprd
and NOT
Runas_Alias JOBSPPRD = fran
Which would change
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD
to
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD
Overall its:
## Users allowed to start pprd
User_Alias JSUB_PPRD = fran
# Cmnd alias specification
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz
Runas_Alias JOBSPPRD = pprd
# User privilege specification
# Allow user to run command only as pprd
PRIV_USER JSUB_PPRD = (JOBSPPRD) JS_PPRD
So same questions from my original post...I've just changed the config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 02:53 AM
тАО06-18-2008 02:53 AM
Re: sudo allow user to run command as other user
The last line I think needs to be
JSUB_PPRD PRIV_USER = (JOBSPPRD) JS_PPRD
Instead of
PRIV_USER JSUB_PPRD = (pprd) JOBSPPRD
Otherwise user fran isn't associated with the command...am I correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 03:17 AM
тАО06-18-2008 03:17 AM
SolutionUser_Alias JSUB_PPRD = fran
Runas_Alias JOBSPPRD = pprd
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start xyz
JSUB_PPRD ALL=(JOBSPPRD) JS_PPRD
in this configuration user fran can invoke command as
sudo /var/cluster/caa/script/somejob start xyz
or if somejobs' path is fran's profile directly can invove command.
if you don't want to ask password for fran, change line:
JSUB_PPRD ALL=(JOBSPPRD)NOPASSWD: JS_PPRD
Kenan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 03:34 AM
тАО06-18-2008 03:34 AM
Re: sudo allow user to run command as other user
User_Alias JSUB_PPRD = fran
Cmnd_Alias JS_PPRD = /var/cluster/caa/script/somejob start
Runas_Alias JOBSPPRD = jobspprd
JSUB_PPRD PRODSVC = (JOBSPPRD) JS_PPRD
Note: the xyz argument is no longer needed
But fran can run the command as
/var/cluster/caa/script/somejob start
or
/var/cluster/caa/script/somejob start123
I need the arguement to limited to 'start' only.
I've noticed this user is in another section of the sudoers file.
They belong to the user alias UNIX and then the following spec is at the end of the sudoers file
## Allow UNIX admin to run anything as root or operator
UNIX PRODSVC = (OP)
Does this override my new config thus allowing them to run /var/cluster/caa/script/somejob start123 ?
Thus negating my efforts to restrict the command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 03:47 AM
тАО06-18-2008 03:47 AM
Re: sudo allow user to run command as other user
if fran is operator why are you trying to restrict user ?you can try removing fran user from that grup. and write a line for fran user with his new priviliges.
Kenan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 04:41 AM
тАО06-18-2008 04:41 AM
Re: sudo allow user to run command as other user
The real objective is when fran runs the command the command has to be executed under the other users id and NOT as fran.
They've tried sudo su - pprd -c /var/cluster/caa/scripts/somejob start xyz but that fails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 04:55 AM
тАО06-18-2008 04:55 AM
Re: sudo allow user to run command as other user
try sudo su - pprd -c "/var/cluster/caa/scripts/somejob start xyz"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 05:16 AM
тАО06-18-2008 05:16 AM
Re: sudo allow user to run command as other user
Sorry, user fran is not allowed to execute '/usr/bin/su - jobspprd -c /var/cluster/caa/scripts/somejob start' as root on serverxyz
Regardless of how I run the command
sudo /.../.../somejob start
sudo - pprd -c /.../.../somejob start
sudo - pprd -c "/.../.../somejob start"
They must belong to another group which allows them to run commands as root. Because the message indicates it's trying to run as root and not pprd.
It's a long sudoers file so I'll just keep trudging through it and try and figure this out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2008 05:53 AM
тАО06-18-2008 05:53 AM
Re: sudo allow user to run command as other user
so you can remove fran user from UNIX group in User_Alias and add a line to the end:
fran = ALL(OP)