HPE Community
Operating System - HP-UX
1833828 Members
2054 Online
110063 Solutions
New Discussion

Re: Reading root mail using sudo

 
Debbie Beresford
Frequent Advisor

‎05-18-2004 03:33 AM

‎05-18-2004 03:33 AM

Reading root mail using sudo

We have set up sudo to allow our operators to access root functions without needing the root password. In the sudoers file, we have set up a User_Alias of OPERUSER. Under User privilege specification is the following:
OPERUSER ALL=(ALL) NOPASSWD: ALL

Most functions are available to the operators but they cannot check to see if root has any mail. It appears when "mail" is entered, it shows the information for the original user. Logging on as root does show there is mail.

Any suggestions on how to correct this?
0 Kudos
Reply
10 REPLIES 10
Mark Grant
Honored Contributor

‎05-18-2004 03:39 AM

‎05-18-2004 03:39 AM

Re: Reading root mail using sudo

I have never used sudo but would guess from this that sudo only gives you the effective user id of 0 (EUID) and that mail does it's checks using the real user id (UID). If there is no configuration option within sudo to use the real user id you could change the command to "su - root -c mail". I imagine this should give the user the real uid of 0 and then read the mail.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Debbie Beresford
Frequent Advisor

‎05-18-2004 05:48 AM

‎05-18-2004 05:48 AM

Re: Reading root mail using sudo

This does work. I am a novice so I need to look into sudo further to see if the options you suggest are available. I also needed the root password to make this work. Is there a way around this?
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎05-18-2004 06:05 AM

‎05-18-2004 06:05 AM

Re: Reading root mail using sudo

If I am interpreting the setup correctly

They should be able to "sudo su - root"
then type "mail"

or "sudo su - root -c mail"

Either of those should work. And they should not need the passwd, if sudo prompts for a passwd they can use the operuser passwd they have, they do not need roots passwd.


0 Kudos
Reply
Cesare Salvioni
Trusted Contributor

‎05-18-2004 06:15 AM

‎05-18-2004 06:15 AM

Re: Reading root mail using sudo

The problem is that elm and mail command use the environment variables LOGNAME and MAIL to decide the mailbox to use.
If u run the command su root the environment is not changed, while if u run the command su - root the environment is exactly the same as logging in as root.
Try to run the sudo command with a script like

#!/usr/bin/sh
export LOGNAME=root
export MAIL=/var/mail/root
mail

it should use the root mailbox
Bye Cesare
0 Kudos
Reply
Paul F. Carlson
Valued Contributor

‎05-18-2004 08:04 AM

‎05-18-2004 08:04 AM

Re: Reading root mail using sudo

I want to make sure you realize you've given your operators the keys to the kingdom. They can type in "sudo su -" and get a root shell, and reboot the box or whatever else they want. On top of this, you are allowing this to happen without any password.

If you want them to only have privilages to run certain commands, it's better to specify each command they have access to in your sudoers file.
Link down -- cable problem?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-18-2004 08:23 AM

‎05-18-2004 08:23 AM

Re: Reading root mail using sudo

Hi,

Once your operator has done sudo to root, let them do a su - root and when they get the root prompt, they should be able to read the root mail.

Hope this helps.

Regds
0 Kudos
Reply
Scott J. Showalter
Frequent Advisor

‎05-18-2004 08:46 AM

‎05-18-2004 08:46 AM

Re: Reading root mail using sudo

In addition to what Paul said, you should realize that there are TONS of commands that you could put in the sudoers file that could give the user "FULL ROOT" access.

sudo, if not configured right, is just as bad as giving them the root password. You give me sudo access to your system, and unless you know all the holes, I bet I could get a root shell pretty easy.
In a world without fences, who needs Gates?
0 Kudos
Reply
Robert True
Frequent Advisor

‎05-19-2004 12:31 AM

‎05-19-2004 12:31 AM

Re: Reading root mail using sudo

Tested this on 11.0, sudo 1.6.7p5:

Add a Cmnd_Alias like:

Cmnd_Alias ROOTMAIL=/bin/mail -f /var/mail/root

(Sorry, tab / space formating is lost)

Then add ROOTMAIL to your user privilege section. Keep in mind /bin/mail has a shell escape, so it is not secure.

However if your OPERUSER entry is for real, you are not secure anyway. I really do not like that entry.

I don't believe in granting more privilege than necessary. Thats the one drawback to sudo: If you want it secure, it is a hassle to admin!
0 Kudos
Reply
Robert True
Frequent Advisor

‎05-19-2004 12:48 AM

‎05-19-2004 12:48 AM

Re: Reading root mail using sudo

Opps, forgot to add:

User must enter the command exactly like the Cmnd_Alias, IE:

'sudo /bin/mail -f /var/mail/root'

Rt.
0 Kudos
Reply
Debbie Beresford
Frequent Advisor

‎06-03-2004 12:28 AM

‎06-03-2004 12:28 AM

Re: Reading root mail using sudo

Thanks for all of your help. Also, we will now be reviewing the use of sudo!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.