HPE Community
Operating System - HP-UX
1846620 Members
1804 Online
110256 Solutions
New Discussion

Re: SUDO ERRORS

 
SOLVED
Go to solution
oprakash
Frequent Advisor

‎07-19-2009 08:27 PM

‎07-19-2009 08:27 PM

SUDO ERRORS

Hi,

I have successfully installed sudo package and its working fine. I am having a few concerns in that
1. /var/adm/sudolog.log file i am not able to view any content in this file. What could be the purpose of this file.
2. sudo user can able to enter as root, if they type like $ sudo /usr/bin/sh.

Can any one suggest me for the above mentioned.
0 Kudos
7 REPLIES 7
Ivan Krastev
Honored Contributor

‎07-19-2009 08:52 PM

‎07-19-2009 08:52 PM

Re: SUDO ERRORS

Hello,

1. In sudolog.log file sudo stores the used commands from users - for example $sudo sh from user1

Check permissions of this file and sudoers conf for any other logging features enabled (or disabled).

2. Check what is used in sudoers file for user access - give more information how the user access is granted.

regards,
ivan
0 Kudos
oprakash
Frequent Advisor

‎07-19-2009 09:38 PM

‎07-19-2009 09:38 PM

Re: SUDO ERRORS

Hi,

File permission for sudolog.log
-rw-r----- 1 root sys 0 Jul 18 11:10 sudolog.log

Sudoers:

# Host alias specification

# User alias specification
User_Alias SERVERADMIN = oprakash

# Cmnd alias specification
Cmnd_Alias CHMOD = /usr/bin/chmod
Cmnd_Alias CHOWN = /usr/bin/chown
Cmnd_Alias SAM = /usr/sbin/sam
# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
# SERVERADMIN
SERVERADMIN ALL=NOPASSWD:ALL
0 Kudos
Roopesh Francis_1
Trusted Contributor

‎07-19-2009 10:55 PM

‎07-19-2009 10:55 PM

Re: SUDO ERRORS

Oprakash,

Can you please check this link.I hope its have all the information which you need.
http://www.sudo.ws/sudo/man/sudoers.html

Thanks
0 Kudos
ManojK_1
Valued Contributor

‎07-20-2009 10:33 PM

‎07-20-2009 10:33 PM

Solution

Re: SUDO ERRORS

Hi,

Can you put the following lines in the /etc/sudoers file.

#
Defaults logfile=/var/adm/sudo.log

This might solve your issue.

In our server the permission of /var/adm/sudo.log is 600

Thanks and Regards,
Manoj K
Thanks and Regards,
Manoj K
0 Kudos
Suraj K Sankari
Honored Contributor

‎07-20-2009 10:40 PM

‎07-20-2009 10:40 PM

Re: SUDO ERRORS

Hi,

To configure sudo see the below link

http://www.sudo.ws/sudo/man/sudoers.html

Suraj
0 Kudos
Bill Hassell
Honored Contributor

‎07-21-2009 09:02 AM

‎07-21-2009 09:02 AM

Re: SUDO ERRORS

> What could be the purpose of this file.

This is a log of the sudo events and cannot be allowed to be seen by ordinary users. The same is true of the sudoers file. Both contain information about users and their privileges.

> sudo /usr/bin/sh

Apparently the sudoers files has been badly configured. sudo is a very capable program but you can destroy its usefulness with lines like this:

billh ALL = NOPASSWD: ALL, (ALL)

This is the worst possible configuration in that user billh can do anything on any computer that runs sudo. You might as well remove the root password.

The proper way to configure sudo is to assign specific commands, one at a time
after each command is evaluated as to whether it is appropriate:

billh ALL = NOPASSWD: /usr/sbin/swapinfo

Now billh can run the swapinfo command as root. Since swapinfo doesn't change anything, this is a safe command to add.

But do not give users vi capability!!! Not only can the user edit (also means to trash) any file in the system, but anyone can type the :!sh string and get a shell prompt with unlimited capability. To use vi with sudo, you must specify the allowable files:

billh ALL = /usr/bin/vi /etc/ntp.conf, /usr/bin/vi /etc/motd

Good security means: take away every capability, then add one based on the user's role. An operator that runs the spooler can have access to lp commands, even /usr/bin/view, but never vi. The fullpath (/usr/bin) in a secured directory prevents a user from creating a dummy program called view which might be a script that runs vi.


Bill Hassell, sysadmin
0 Kudos
oprakash
Frequent Advisor

‎07-21-2009 08:22 PM

‎07-21-2009 08:22 PM

Re: SUDO ERRORS

Hi,

Thanks for your kind support, i got a perfect solution.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.