HPE Community
Operating System - HP-UX
1823114 Members
3253 Online
109646 Solutions
New Discussion юеВ

Re: sudo and pam issue with Oracle agent

 
Ben Dehner
Trusted Contributor

тАО05-14-2009 10:06 AM

тАО05-14-2009 10:06 AM

sudo and pam issue with Oracle agent

Not sure what the right forum for this one is.

I am running an Oracle Enterprise Manager agent on my HP-UX 11.23/PA-RISC system. I'm trying to configure this agent to use 'sudo' to run privileged operations. I've got sudo (1.7.1) installed, and it seem to work fine. I can run it from a command line it it works as I expect. However, when I try to run it indirectly using the EM infrastructure, it fails. If I enable pam debug, I see the following appearing in the syslog:

May 14 12:05:37 valimfg2 sudo: emagent : TTY=unknown ; PWD=/apps/oracle/product/agent10g/sysman/emd ; USER=oracle ; COMMAND=/apps/oracle/product/agent10g/bin/nmosudo core jobsystem jobtype jobname /apps/oracle/product/agent10g/perl/bin/perl - emagent
May 14 12:05:37 valimfg2 PAM: pam_start(sudo oracle)
May 14 12:05:37 valimfg2 PAM: pam_set_item(1)
May 14 12:05:37 valimfg2 PAM: pam_set_item(2)
May 14 12:05:37 valimfg2 PAM: pam_set_item(5)
May 14 12:05:37 valimfg2 PAM: pam_set_item(3)
May 14 12:05:37 valimfg2 PAM: pam_set_item(8)
May 14 12:05:37 valimfg2 PAM: pam_set_item(4)
May 14 12:05:37 valimfg2 PAM: pam_setcred()
May 14 12:05:37 valimfg2 PAM: pam_set_item(2)
May 14 12:05:37 valimfg2 PAM: load_modules: /usr/lib/security/libpam_unix.so.1
May 14 12:05:37 valimfg2 PAM: load_function: successful load of pam_sm_setcred
May 14 12:05:37 valimfg2 PAM: pam_open_session()
May 14 12:05:37 valimfg2 PAM: load_function: successful load of pam_sm_open_session
May 14 12:05:37 valimfg2 PAM: pam_get_username(ux)
May 14 12:05:37 valimfg2 PAM: pam_mapping_in_use()
May 14 12:05:37 valimfg2 PAM: load_modules: /usr/lib/security/libpam_unix.so.1
May 14 12:05:37 valimfg2 PAM: pam_open_session: error General Commercial Security error
May 14 12:05:37 valimfg2 PAM: pam_end(): status = General Commercial Security error

What I think is happening, the emagent process, a background process that doesn't have a TTY associated with it, is trying to spawn the 'sudo' command. Because there is no tty, the PAM authentication is failing with the 'general error'. Does this appear correct, and is there any way to fix this? For now, I see the options as either not use sudo or re-compile sudo to not use PAM.

Any help would be appreciated.
Trust me, I know what I'm doing
0 Kudos
Reply
9 REPLIES 9
Mel Burslan
Honored Contributor

тАО05-14-2009 10:13 AM

тАО05-14-2009 10:13 AM

Re: sudo and pam issue with Oracle agent

Recompiling sudo just to prevent usage of PAM is kind of a drastic approach in my opinion. Did you try modifying this line as follows

UsePAM no

in your /opt/ssh/etc/sshd_config file ?
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Ben Dehner
Trusted Contributor

тАО05-14-2009 10:19 AM

тАО05-14-2009 10:19 AM

Re: sudo and pam issue with Oracle agent

Nope, because nothing is making an SSH connection. There is a background process already running on the machine used to spawn the sudo process.
Trust me, I know what I'm doing
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО05-14-2009 10:37 AM

тАО05-14-2009 10:37 AM

Re: sudo and pam issue with Oracle agent

Check your sudoers file for this line:

Defaults requiretty

If you find it comment it out.

Also, who does the process run as? Check and make sure that you setup the correct userid in the sudoers file.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Ben Dehner
Trusted Contributor

тАО05-14-2009 11:11 AM

тАО05-14-2009 11:11 AM

Re: sudo and pam issue with Oracle agent

The 'requiretty' field is not there, and the man pages tell me it defaults to 'off'. I added '!requiretty' anyway, but to no avail.

Note that if I log in via SSH, execution via sudo works fine.
Trust me, I know what I'm doing
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО05-14-2009 11:54 AM

тАО05-14-2009 11:54 AM

Re: sudo and pam issue with Oracle agent

Again. Is the account emsagent setup to use sudo?
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Ben Dehner
Trusted Contributor

тАО05-14-2009 01:48 PM

тАО05-14-2009 01:48 PM

Re: sudo and pam issue with Oracle agent

Yes, the account 'emagent' is set up to use sudo. If I ssh to the system and log on as emagent, sudo works fine.

To me, the syslog error indicates a PAM problem and not a sudo problem. Sudo is fairly good about logging configuration errors. I'm still fixated on the TTY aspect; I think that sudo can deal with no TTY (requiretty disabled), I don't think PAM can deal with sudo dealing with no TTY.
Trust me, I know what I'm doing
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО05-15-2009 07:23 AM

тАО05-15-2009 07:23 AM

Re: sudo and pam issue with Oracle agent

I need to understand what your process is doing. It looks like emsagent runs nmosudo as oracle. But then I see "sudo oracle" is the PAM output. What is nmosudo doing?
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Ben Dehner
Trusted Contributor

тАО05-15-2009 07:48 AM

тАО05-15-2009 07:48 AM

Re: sudo and pam issue with Oracle agent

nmosudo is an Oracle-provided wrapper program for their privilege delegation. I don't have a lot more detail on what it really does.
Trust me, I know what I'm doing
0 Kudos
Reply
VK2COT
Honored Contributor

тАО05-15-2009 03:29 PM

тАО05-15-2009 03:29 PM

Re: sudo and pam issue with Oracle agent

Hello,

What are the contents of sudoers file?

And did you follow the procedure
similar to the following:

http://download.oracle.com/docs/cd/B16240_01/doc/install.102/e13059/dcapi.htm

I also think you might need to take a look at
nmosudo.props file.

Cheers,

VK2COT


VK2COT - Dusan Baljevic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.