HPE Community
Operating System - HP-UX
1830624 Members
2131 Online
110015 Solutions
New Discussion

sudo need to be configure

 
Viney Kumar
Regular Advisor

‎10-05-2009 09:28 PM

‎10-05-2009 09:28 PM

sudo need to be configure

Hi ALL,

I want to give ALL=ALL (except to su to root) aceess to a group.

Please suggest how can we do this with sudo.

Thanks
0 Kudos
Reply
6 REPLIES 6
Suraj K Sankari
Honored Contributor

‎10-05-2009 09:56 PM

‎10-05-2009 09:56 PM

Re: sudo need to be configure

Hi,

Here is the link where you can know everyting about sudo.

http://www.gratisoft.us/sudo/man/sudoers.html#examples

Suraj
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎10-05-2009 10:01 PM

‎10-05-2009 10:01 PM

Re: sudo need to be configure

ALL commands on ALL hosts, with no limit on target usernames? Then they won't need su for root access: they can easily make their own root shell.

You'll find your users will start using something like:

sudo /usr/bin/csh
# full root access!

or

cp /usr/bin/ksh $HOME/myrootshell
sudo chown root $HOME/myrootshell
sudo chmod u+s $HOME/myrootshell
./myrootshell
# full root access!

or even something like:

sudo more /etc/hosts
!/usr/bin/sh (a shell escape command for "more")
# full root access!

The easiest way would be to limit the allowed target usernames. For example, if your users in group "appadm" must be able to qrun any commands as appuser1 and appuser2, then the sudo configuration could be like this:

User_Alias APPADMINS = %appadm
Runas_Alias APPUSERS = appuser1, appuser2

APPADMINS ALL=(APPUSERS) ALL

You must then instruct your users to use commands like:

sudo -u appuser1 -i
to get a shell session as appuser1, or

sudo -u appuser1 somecommand
to run individual commands as a particular user.

MK
MK
0 Kudos
Reply
Viney Kumar
Regular Advisor

‎10-06-2009 09:52 PM

‎10-06-2009 09:52 PM

Re: sudo need to be configure

Hi Matti

thanks for reply

There some security risks in your perivious suggesstion

1. when user use /usr/bin/csh,we just get log for first cmd and no log for which user running in csh shell
log output:-

OCT 7 10:06:02 2009 : viney : HOST=bscstest : TTY=pts/0 ; PWD=/home/viney ;
USER=root ; COMMAND=/usr/bin/csh

2. when we using Alias still user can able to su to root that i need to disable

Alias details which im using in sudoers file

User_Alias UNIX=%unixl2
Runas_Alias UNIX_L2=root
UNIX ALL=(UNIX_L2)ALL
UNIX ALL=!/usr/bin/passwd root

....
Waiting for more suggestion on this
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎10-06-2009 11:11 PM

‎10-06-2009 11:11 PM

Re: sudo need to be configure

1.) Yes. You did not say anything about logging requirements in your original post. If you need logging, google for "sudosh", an utility that can be used along with sudo to provide a complete transcript of each session started through it.

If you don't want the user to execute a shell on the target user account, don't allow them to start a shell through sudo. And don't allow any command that has the function of starting a shell. And don't allow any command that could be used to deconfigure your restrictions either.

If you allow someone to execute commands as root with no restriction to the set of commands allowed, then that person does not need "su" to become root: s/he has an unlimited number of ways to duplicate the effects of "su".

2.) Yes, definitely. If you try to create a sudo policy by allowing "everything except these commands", you will always end up with allowing too much.

The problem is that the basic Unix tools required to install/maintain/troubleshoot/debug an application running as root can also be used to create an unrestricted and un-logged root access to any user.

The only solution to this problem is to not run applications as root so that you don't have to grant ALL=ALL access to people who are not trusted sysadmins.

If you run the applications on separate user accounts dedicated to this purpose, you can then use sudo to grant people access to those application accounts *only* without giving them root access at all.


Let's start over at the beginning.
You have a group named "unixl2" that needs to do something. You think that requires ALL=ALL style access, which includes unrestricted root access. But the members of the group apparently must not be allowed to become root.
What exactly does the "unixl2" group need to do?

MK
MK
0 Kudos
Reply
Viney Kumar
Regular Advisor

‎10-07-2009 03:02 AM

‎10-07-2009 03:02 AM

Re: sudo need to be configure

yes matti

exactly i want to do
0 Kudos
Reply
rahul001
Occasional Advisor

‎10-07-2009 03:22 AM

‎10-07-2009 03:22 AM

Re: sudo need to be configure

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.