HPE Community
Operating System - HP-UX
1831117 Members
2848 Online
110020 Solutions
New Discussion

Re: sudo for user administration

 
Jeff_Traigle
Honored Contributor

‎07-29-2004 04:59 AM

‎07-29-2004 04:59 AM

sudo for user administration

I'm toying with a sudo configuration that will allow user administration commands to be run by a particular user. (I'm still pretty new to this utility.) I have the following as a work-in-progress towards securing it as best as possible:

Cmnd_Alias USERADMINCMDS = /usr/sbin/useradd, \
!/usr/sbin/useradd -o, \
/usr/sbin/userdel, \
!/usr/sbin/userdel root, \
/usr/sbin/usermod, \
!/usr/sbin/usermod root, \
/usr/bin/passwd, \
!/usr/bin/passwd root

I'm basically trying to protect the system accounts from being manipulated (and, in the case of userdel, potentially having system files deleted). As written, I know it only covers root, but it's a start. I'm not really sure the ! entries will behave the way I'd like though.

useradd... I don't want duplicate UIDs created so that should avoid duplicate root users from being created, for instance.

usermod... I don't want any modifications to system accounts, regardless of flags given.

userdel... I don't want any deletions of system accounts, regardless of flags given.

passwd... I don't want any password changes made to system accounts, regardless of flags given.

Should what I have do what I'd like or is there some more wildcard entries that I'd need to investigate to get the desired result? Anyone actually implemented a locked down config for this purpose they'd care to share?
--
Jeff Traigle
0 Kudos
Reply
5 REPLIES 5
Sundar_7
Honored Contributor

‎07-29-2004 05:03 AM

‎07-29-2004 05:03 AM

Re: sudo for user administration

why to complicate the things when you have a better way to achive the same result.

How about use restricted SAM.

sam -r

and enable the Accounts and security group for the user.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎07-29-2004 06:11 AM

‎07-29-2004 06:11 AM

Re: sudo for user administration

Since there are application accounts associated with the UNIX accounts, restricted SAM didn't cross my mind. I'm not sure how well that would work into the plan and environment here. I see that it has the system account protections I want, but don't see offhand how hooking the application user account script into it would work... or what would be required to deploy to multiple servers. I'd have to look into that more to see if it's feasible.
--
Jeff Traigle
0 Kudos
Reply
Sundar_7
Honored Contributor

‎07-29-2004 06:21 AM

‎07-29-2004 06:21 AM

Re: sudo for user administration

Hooking up the application user account script can easily be done in SAM.

Click on Accounts for users and groups => users => Actions => Task customization.

Here you can define scripts for SAM to execute before or after creating/removing the user accounts.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎07-30-2004 02:45 AM

‎07-30-2004 02:45 AM

Re: sudo for user administration

In looking online some more, I don't think sudo can actually be configured to do what I want anyway since there's no good way to exclude all permutations of flags on a command line you want to keep the user from running.

In looking at restricted SAM some more, I have a few concerns/questions:

1. There's no Task Customization menu option under Actions on either the 11.00 systems at work or on my C200 running 11i at home. I know this is a feature that's been around since at least 10.20. Is there some additional bundle than what comes standard for SAM that must be installed to make this available for the restricted SAM builder?

2. Even under restricted SAM, it looks like the user admin can create and select templates other than the one I'd want to enforce. Not exactly a desirable situation either.

3. Minor issue, but an annoyance that probably won't be acceptable from the customer's perspective... we set TERM to a weird value here that SAM doesn't understand, forcing the person to type in vt100 or things get displayed weird with the default hp setting.

Basically, this is supposed to be as simple from the user admin's perspective as possible without allowing him/her to stray from the standards in place and I'm not seeing that simplicity in SAM. Enter a user name and full name and it's done (as far as the UNIX side goes... the application account side has some permission stuff to set, but that's not my concern).

I'm beginning to think the only way to get what I want is to crack open the perl books and write something to fit the specific needs. One advantage to that is that it would be portable to other UNIX platforms so I could keep it in my bag of tricks for future use.
--
Jeff Traigle
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎08-03-2004 07:52 AM

‎08-03-2004 07:52 AM

Re: sudo for user administration

Opted for sudo on this problem after all. Since it's a very specific set of options I would want them to be able to use and only care about specific accounts that I don't want them to touch, it was actually pretty easy, if cumbersome, to configure. (Since there's going to be a wrapper script issuing the USERADMINCMDS, we don't have the problem of the user admin getting frustrated by issuing the commands with flags in diffeent orders... we just make sure they get run in the wrapper just as they are configured in sudoers.) Trying to leave all of the options available as I had it originally would have never worked as far as limiting what they could do to the system accounts... that would still require some custom programming, I think.

Cmnd_Alias USERADMINCMDS = /usr/sbin/useradd -g -d /[A-z]* -m -c [A-z]* [A-z]*, \
/usr/sbin/userdel -r [A-z]*, \
!/usr/sbin/userdel -r root, \
!/usr/sbin/userdel -r daemon, \
!/usr/sbin/userdel -r bin, \
!/usr/sbin/userdel -r sys, \
!/usr/sbin/userdel -r adm, \
!/usr/sbin/userdel -r uucp, \
!/usr/sbin/userdel -r lp, \
!/usr/sbin/userdel -r nuucp, \
!/usr/sbin/userdel -r hpdb, \
!/usr/sbin/userdel -r nobody, \
/usr/bin/passwd -d -f -x 84 [A-z]*, \
!/usr/bin/passwd -d -f -x 84 root, \
!/usr/bin/passwd -d -f -x 84 daemon, \
!/usr/bin/passwd -d -f -x 84 bin, \
!/usr/bin/passwd -d -f -x 84 sys, \
!/usr/bin/passwd -d -f -x 84 adm, \
!/usr/bin/passwd -d -f -x 84 uucp, \
!/usr/bin/passwd -d -f -x 84 lp, \
!/usr/bin/passwd -d -f -x 84 nuucp, \
!/usr/bin/passwd -d -f -x 84 hpdb, \
!/usr/bin/passwd -d -f -x 84 nobody
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.