HPE Community
Operating System - HP-UX
1754866 Members
5553 Online
108827 Solutions
New Discussion юеВ

Re: Assigning Administrative access to non-root users.

 
Devender Khatana
Honored Contributor

тАО03-27-2005 05:28 AM

тАО03-27-2005 05:28 AM

Assigning Administrative access to non-root users.

Hi,

We have a system monitoring issue and we have been asked to allow our DBA's with their non root ID's to view critical system messages. For ex. dmesg,vxdmpadm,cmviewcl etc.

We have completed with rest except for dmesg and vxdmpadm ( Only viewing part). Is there anyway of achiving this or it is not possible ?

Regards,
Devender
Impossible itself mentions "I m possible"
0 Kudos
10 REPLIES 10
Jannik
Honored Contributor

тАО03-27-2005 05:52 AM

тАО03-27-2005 05:52 AM

Re: Assigning Administrative access to non-root users.

have a look at sudo. and give permissions to the commands that you like.

or just

user ALL = (ALL) ALL

the output from the commands should come into syslog or you could make changes to /etc/syslog:
local2.debug/var/log/sudo.log

remeber the TAB SPACES doesn't work.
jaton
0 Kudos
Devender Khatana
Honored Contributor

тАО03-27-2005 06:11 AM

тАО03-27-2005 06:11 AM

Re: Assigning Administrative access to non-root users.

Hi Jannik,

I am unable to understand from your post what exactly I need to do. Can you clearly mention the steps required to accomplish this.

Regards,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Jannik
Honored Contributor

тАО03-27-2005 06:57 AM

тАО03-27-2005 06:57 AM

Re: Assigning Administrative access to non-root users.

Ok sorry.
You need to install sudo:
http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111
After the installation you have to files you need to look at:
/usr/local/sbin/visudo (executable)
run it:
If you have a user dev (that could be you add it after the user root as follows:
dev ALL = (ALL) NOPASSWD ALL
save and close!
loing as you own user and do the following:
/usr/local/bin/sudo

ex:
sudo vi passwd
sudo dmesg
sudo su -

you can do it all in effect you are root without the root passwd, of cause you could change the root passwd by typing sudo passwd root, but that is why you should put restrictions on the users that is NOT you.

:-)
jaton
0 Kudos
Devender Khatana
Honored Contributor

тАО03-27-2005 08:44 AM

тАО03-27-2005 08:44 AM

Re: Assigning Administrative access to non-root users.

Hi Jannik,

Installed the product at default path /opt/iexpress/sudo. And tried to found executable visudo, but bad luck.Rather it has got a executable sudoedit at path /opt/iexpress/sudo/bin. on executing it throws

usage: sudoedit [-HPSb] [-p prompt] [-u username|#uid] file [...]

I do not know anything about the syntax as there are no man pages available. Even then anyhow I edited the file by assuming parameters from given syntax and defining file path /etc/sudofile and put required entries there. But now when I try to execute required commands through Sudo it displays
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

Sudo Version is A.04.00-1.6.8p4. HPUx is 11i.
Another thing is that I want to give access of only two commands to only one user.
Please advice.

Regards,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Jannik
Honored Contributor

тАО03-27-2005 09:22 AM

тАО03-27-2005 09:22 AM

Re: Assigning Administrative access to non-root users.

aahhh... its another version than the one i use normaly.
Lets say you did the changes with ALL on dev you should type the password for dev. and that will work.

This page will give you some info:
http://www.courtesan.com/sudo/man/sudoers.html

yours would look something like this(if the servername is server:
dba server = (root) /path/to/dmesg, /path/to/vxdmpadm, /path/to/cmviewcl etc.

Hope it helps!
jaton
0 Kudos
Jannik
Honored Contributor

тАО03-27-2005 09:48 AM

тАО03-27-2005 09:48 AM

Re: Assigning Administrative access to non-root users.

you need to run the command visudo this will let you edit in the sudoers file, this link will X-plain:
http://sudo.rtin.bz/sudo/sudo.html

jaton
0 Kudos
Jannik
Honored Contributor

тАО03-28-2005 10:36 PM

тАО03-28-2005 10:36 PM

Re: Assigning Administrative access to non-root users.

I have just done a test installation and visudo is at:
/opt/iexpress/sudo/sbin/visudo

run this and add this after root:
dev ALL=(ALL) NOPASSWD: ALL

the sudo command is at:
/opt/iexpress/sudo/bin/sudo

good luck!
jaton
0 Kudos
Tom Henning
Trusted Contributor

тАО03-28-2005 11:35 PM

тАО03-28-2005 11:35 PM

Re: Assigning Administrative access to non-root users.

To give just a single user two commands to execute, something like this should be placed into the sudoers file (with visudo).

Cmnd_Alias MONITOR = /usr/bin/dmesg, /usr/sbin/vxdmpadm

This line defines a set of commands refered to as MONITOR that can be used later.

# User specification
dev ALL = MONITOR

# This line allows the user dev to execute the commands given in the MONITOR definetion above on all systems defined by this sudo file. It will require the user's password to be provided before the user can execute the command.

The above lines are from my version od sudo.

I hope this helps a little.

What is it that possesses otherwise sane individuals to change something just because it has not been changed in a while?
0 Kudos
doug mielke
Respected Contributor

тАО03-28-2005 11:41 PM

тАО03-28-2005 11:41 PM

Re: Assigning Administrative access to non-root users.

how about

chmod 4555 /sbin/dmesg

then anyone can run /sbin/demsg
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.