HPE Community
Operating System - HP-UX
1834205 Members
2184 Online
110066 Solutions
New Discussion

Help on sudo!!

 
ricky2
Frequent Advisor

‎12-21-2006 01:03 AM

‎12-21-2006 01:03 AM

Help on sudo!!

Hi,

I want to give some users whith a restricted sudo privelege in order to support their application.
I have added this in the sudoers file as below.
==================================
# User alias specification
User_Alias SMVGG=tina

# User privilege specification
SMVGG ALL=/opt/SM/script/smshut all,\
/opt/SM/bin/smstat,\
=====================================
And when I login as user tina and use sudo su -
it doesnt give the sudo access and gives the error
Sorry, user tina is not allowed to execute '/usr/bin/su -' as root on smvgs09.

Could you please help me out on this?

Thanks in Advance,
Ricky
0 Kudos
Reply
12 REPLIES 12
Ivan Krastev
Honored Contributor

‎12-21-2006 01:08 AM

‎12-21-2006 01:08 AM

Re: Help on sudo!!

Try with spaces:

User_Alias SMVGG = tina


regards,
ivan
0 Kudos
Reply
ricky2
Frequent Advisor

‎12-21-2006 01:11 AM

‎12-21-2006 01:11 AM

Re: Help on sudo!!

Hi Ivan,
I had tried this earlier but did not work.
Thanks,
Ricky
0 Kudos
Reply
Peter Godron
Honored Contributor

‎12-21-2006 01:12 AM

‎12-21-2006 01:12 AM

Re: Help on sudo!!

Ricky,
for Configuration Help:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=215352
and
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=961907
0 Kudos
Reply
ricky2
Frequent Advisor

‎12-21-2006 01:32 AM

‎12-21-2006 01:32 AM

Re: Help on sudo!!

Peter,
Thanks for that...but that could not help me out.
rgds,
ricky
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎12-21-2006 01:43 AM

‎12-21-2006 01:43 AM

Re: Help on sudo!!

Oops , you use "user tina and use sudo su -" but you configured only smshut and smstat.


regards,
ivan
0 Kudos
Reply
OldSchool
Honored Contributor

‎12-21-2006 01:46 AM

‎12-21-2006 01:46 AM

Re: Help on sudo!!

Ricky,

I think the issue may be here:

# User privilege specification
SMVGG ALL=/opt/SM/script/smshut all,\
/opt/SM/bin/smstat,\

I don't think its going to like the blank space between "smshut" and "all". I've never tried it the way you appear to have it set up.

I don't think you can restrict the user to a specific option of a program, either they can run the program or not. *BUT* I could be wrong there
0 Kudos
Reply
George Liu_4
Trusted Contributor

‎12-21-2006 01:57 AM

‎12-21-2006 01:57 AM

Re: Help on sudo!!

make it simple,

add this line in the sudoers

tina ALL="/usr/bin/su -"
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-21-2006 02:11 AM

‎12-21-2006 02:11 AM

Re: Help on sudo!!

The line:

> tina ALL="/usr/bin/su -"

is not very useful. su - bypasses sudo's ability to log and contain individual commands. By allowing su -, the user can do anything to the system. You might as well skip sudo and just give the user tina the root password. After all, once tina runs su -, the user can change the root password, remove or reformat active disks, or simply become a member of the rm -r * club. Enumerate the commands you are allowing, including where necessary the allowed parameters. And make sure the scripts tina can execute don't have su - or other privilege elevation command.


Bill Hassell, sysadmin
0 Kudos
Reply
ricky2
Frequent Advisor

‎12-21-2006 02:23 AM

‎12-21-2006 02:23 AM

Re: Help on sudo!!

Hi George,
I have added the /usr/bin/su - and Iam able to do sudo su - but this is givng the complete root access to the user tina and I want to provide some restricted access.
0 Kudos
Reply
ricky2
Frequent Advisor

‎12-21-2006 02:37 AM

‎12-21-2006 02:37 AM

Re: Help on sudo!!

Hi Bill,

Thanks and I completely agree with you.
I should not add /opt/bin/su -.
I haved specified the commands for the user to execute but they are not executing.
0 Kudos
Reply
George Liu_4
Trusted Contributor

‎12-21-2006 02:45 AM

‎12-21-2006 02:45 AM

Re: Help on sudo!!

It really has no reason to allow a user to do "su -" but just to answer your technical question. If you want to limit a user to do a specifc thing, just put

ALL=/path/to/command

0 Kudos
Reply
ricky2
Frequent Advisor

‎12-21-2006 03:27 AM

‎12-21-2006 03:27 AM

Re: Help on sudo!!

found the solution..added some env settings on the user profile related to the application and finally working now.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.