HPE Community
Operating System - HP-UX
1832489 Members
4617 Online
110043 Solutions
New Discussion

Addind users to sudoers

 
SOLVED
Go to solution
Charles Keyser
Frequent Advisor

‎08-11-2008 04:27 AM

‎08-11-2008 04:27 AM

Addind users to sudoers

Question about sudoers If I add the Help Desk in to the sudoers file (see below).
Will this allow then to run the script with root privileges or do I need to add
/usr/lbin/modprpw -x
Also I will need them to run commands to cancel print jobs
In the sudoers file allowing the Help Desk authorization to run this as root?

drt9986 ALL=(ALL) NOPASSWD: ALL
cjk1402 ALL=(OP) NOPASSWD: ALL
jhf1366 ALL=(OP) NOPASSWD: ALL
HelpDesk ALL=(OP) NOPASSWD: ALL

Thanks
CJ
0 Kudos
22 REPLIES 22
Kenan Erdey
Honored Contributor

‎08-11-2008 04:39 AM

‎08-11-2008 04:39 AM

Solution

Re: Addind users to sudoers

Hi,

in this configuration you give whole root permission. instead just give command paths what you want them to run like:

drt9986 ALL=(ALL) NOPASSWD: <script_path>, /usr/bin/cancel

Kenan.
Computers have lots of memory but no imagination
0 Kudos
Court Campbell
Honored Contributor

‎08-11-2008 04:44 AM

‎08-11-2008 04:44 AM

Re: Addind users to sudoers

Well, if root is in the OP group then the help desk can run any and all commands as root without a password. So they are basically root.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Charles Keyser
Frequent Advisor

‎08-11-2008 04:49 AM

‎08-11-2008 04:49 AM

Re: Addind users to sudoers

Thanks all

Court

If I understand you correctly, this will allow the Help Desk to logon as Help Desk and execute all commands that are on my Help Desk Screen, see below

HelpDesk ALL=(OP) NOPASSWD: ALL

SCREEN SELECTIONS

1. Display printer status / print jobs.
a. Enter lpstat -p to view all printers
b. Enter lpstat -o to view all print request


2. Cancel a print job.


3. Cancel ALL print jobs for a printer.


4. Unlockes and Resets User Passwords
NOTE: A number or a group of letters will show on the screen, write down and provide this information to the user


5. This will execute the TOP command to look at the high load average on the servers. Monitoring purposes
NOTE: Control C breaks the process and returns to the Main Menu


6. EXIT this program.
0 Kudos
Court Campbell
Honored Contributor

‎08-11-2008 04:54 AM

‎08-11-2008 04:54 AM

Re: Addind users to sudoers

Yes, but if they can exit out of the menu they can do whatever they want, ie, sudo rm -fr /*. That is a too much power for the help desk. You should only give them access to what they need. I would suggest you look up command aliases. And only allow them what they need. Otherwise it is just security through obscurity.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Charles Keyser
Frequent Advisor

‎08-11-2008 06:16 AM

‎08-11-2008 06:16 AM

Re: Addind users to sudoers

Court

Thanks. I have written the script so they can not break out of it. I will set it up and test it on the servers they need to access. Thanks again 10++++ for you
0 Kudos
Charles Keyser
Frequent Advisor

‎08-12-2008 03:49 AM

‎08-12-2008 03:49 AM

Re: Addind users to sudoers

Question on the HelpDesk as adding into the sudoers

I was testing my script and found that if I eneter root or oracle on the line for password change (see below) It can be changed. How would I enter this in the sudoers to exclude root and oracle?

4. Unlockes and Resets User Passwords
NOTE: A number or a group of letters will show on the screen, write down and provide this information to the user
0 Kudos
Kenan Erdey
Honored Contributor

‎08-12-2008 03:53 AM

‎08-12-2008 03:53 AM

Re: Addind users to sudoers

hi,

add commands to exclude:

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle
Computers have lots of memory but no imagination
0 Kudos
Charles Keyser
Frequent Advisor

‎08-18-2008 09:22 AM

‎08-18-2008 09:22 AM

Re: Addind users to sudoers

I have added the line to the sudoers using visudo

Helpdesk logon is set up and script is in place , when they logon and run the script is says ou must be supeuser, did I miss something when I added the line? Thanks

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle
0 Kudos
Court Campbell
Honored Contributor

‎08-18-2008 09:33 AM

‎08-18-2008 09:33 AM

Re: Addind users to sudoers

Nothing personal but you might want to read up on the sudoers file.

From: http://www.gratisoft.us/sudo/man/sudoers.html

It is generally not effective to ``subtract'' commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Court Campbell
Honored Contributor

‎08-18-2008 09:35 AM

‎08-18-2008 09:35 AM

Re: Addind users to sudoers

also, does your script have sudo before the specific commands?
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Charles Keyser
Frequent Advisor

‎08-18-2008 09:44 AM

‎08-18-2008 09:44 AM

Re: Addind users to sudoers

Court

Here is the command line and no it does not have the sudo

4) echo "Username to modify \c"; read USER
TESTUSER=`awk -v USER=${USER} -F: '$1~USER { print $1 }' /etc/passwd`
if test "${USER}" != "${TESTUSER}"
then
echo "${USER} is invalid!"
echo "Press [ENTER] to continue. \c"
read NOTHING
else
#This command looks at the account if it has a password liftime expired it will reset the account and enable it
/usr/lbin/modprpw -x ${USER}
sleep 10
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎08-18-2008 09:52 AM

‎08-18-2008 09:52 AM

Re: Addind users to sudoers

Hi Charles:

The '/usr/lbin/modprpw' command requires you to be root to execute.

Regards!

...JRF...
0 Kudos
Charles Keyser
Frequent Advisor

‎08-18-2008 09:55 AM

‎08-18-2008 09:55 AM

Re: Addind users to sudoers

Thanks I researched it modified the script, tested it, works fine now. I appreciate your input

CJ
0 Kudos
Charles Keyser
Frequent Advisor

‎08-26-2008 05:36 AM

‎08-26-2008 05:36 AM

Re: Addind users to sudoers

I would like to address the script again. Below is the line from the script, below that is the sudoers line. The script works fine, when I execute the script to change the passwords that works fine. However when I execute it again to change reset ags1643, I should not be able to do it since it is commented in sudoers not to be changed. This is not working, is there something I missed in the soders command line to exclude root, oracle and ags1643 Thanks -CJ


echo "Username to modify \c"; read USER
TESTUSER=`awk -v USER=${USER} -F: '$1~USER { print $1 }' /etc/passwd`
if test "${USER}" != "${TESTUSER}"
then
echo "${USER} is invalid!"
echo "Press [ENTER] to continue. \c"
read NOTHING
else
#This command looks at the account if it has a password liftime expired it will reset the account and enable it
sudo /usr/lbin/modprpw -x ${USER}
sleep 10


SUDOERS
HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle, !/usr/bin/passwd ags1643

0 Kudos
Heironimus
Honored Contributor

‎08-26-2008 08:39 AM

‎08-26-2008 08:39 AM

Re: Addind users to sudoers

The sudoers entry you pasted only tries to prevent the specific command "/usr/bin/passwd ags1643". The fragment of script you pasted is running /usr/lbin/modprpw, not /usr/bin/passwd.
0 Kudos
Charles Keyser
Frequent Advisor

‎08-26-2008 10:39 AM

‎08-26-2008 10:39 AM

Re: Addind users to sudoers

If I understand you correctly where I user/bin/modprpw I should replace with usr/bin/passwd

Then the sudoers file should fine?

Correct?

One other question, I want to trap the CTR C
In my script I have trap ' ' INT, however when I do a CTR C (and I am still testing my script)
When I select number 6 on my script see below, I am taken to a $(prompt) I am trying to avoid any breakouts in the script that would put me at a prompt Thank -CJ

6*|Qq|bye|Ee ) print "Quitting! See You Later, $(whoami)" ; exit ;;
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎08-26-2008 10:50 AM

‎08-26-2008 10:50 AM

Re: Addind users to sudoers

Hi Charles:

Trapping the control_C as you showed is fine, but this isn't going to prevent your script (upon) 'exit' from returning you to a shell prompt, *or* for that matter from a smart user using a piped 'more' to enter a shell.

You can either 'exec' your script from a login profile --- which means that your environment becomes your script and when you exit that, you are logged off;

OR:

You can replace the definition of the account's "shell" in '/etc/passwd' with the full patch of your script.

Either solution above, means that an 'exit' terminates your script AND the user's login session; AND that the user cannot enter a shell.

Regards!

...JRF...
0 Kudos
Charles Keyser
Frequent Advisor

‎08-26-2008 11:04 AM

‎08-26-2008 11:04 AM

Re: Addind users to sudoers

Thanks that worked great, I am not able to breakout, my peers are testing the script also.

Your thoughts on the sudoers file, last thread

Thanks

-CJ
0 Kudos
Charles Keyser
Frequent Advisor

‎08-27-2008 06:19 AM

‎08-27-2008 06:19 AM

Re: Addind users to sudoers

Sudo question, last comment

The sudoers entry you pasted only tries to prevent the specific command "/usr/bin/passwd ags1643". The fragment of script you pasted is running /usr/lbin/modprpw, not /usr/bin/passwd.

I have changed the sudo file (see below)
However when I run my script I am still abe to change the password. Any suggestions?
Below is the script line.

HelpDesk ALL=(OP) NOPASSWD: ALL, ! /usr/bin/passwd root, !/usr/bin/passwd oracle, !/usr/bin/passwd ajh1809


Script line
sudo passwd ${USER}


Thanks

-CJ
0 Kudos
Heironimus
Honored Contributor

‎08-27-2008 08:51 AM

‎08-27-2008 08:51 AM

Re: Addind users to sudoers

First suggestion is to use "which passwd" and ls to make sure you're running the passwd command that you think you're running.

You shouldn't rely on .profile or /etc/profile for security because you can often get a shell without reading them. If you're using ssh (which everybody should be by now) it's usually as simple as "ssh -t server /sbin/sh" - no .profile or /etc/profile because it's not a login shell.

You should have as many experienced admins as you can find review your final setup. I've heard claims about secure scripts and restricted accounts often enough, and they have rarely held up under further scrutiny.
0 Kudos
Charles Keyser
Frequent Advisor

‎08-27-2008 09:25 AM

‎08-27-2008 09:25 AM

Re: Addind users to sudoers

This is a Help Desk script, the Help desk has a login that goes directly to the Menu selection screen, option 4 which is the one to reset the password. I am trying to set the sudoer for Help Desk not to change the password to root, oracle and the one user mentioned. All my peers are in agreement the script is a secure script, none of them can break out of it to a prompt. I am just trying to set the correct syntax in the sudoer file to exclude/prevent them from changing these passwords

Thanks
0 Kudos
Charles Keyser
Frequent Advisor

‎08-29-2008 12:09 PM

‎08-29-2008 12:09 PM

Re: Addind users to sudoers

Information provided by everyone has allowed me to resolve the questions asked. The script is working as I wanted.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.