HPE Community
Operating System - HP-UX
1833776 Members
2464 Online
110063 Solutions
New Discussion

sudo password

 
SOLVED
Go to solution
Khashru
Valued Contributor

‎02-22-2006 03:07 PM

‎02-22-2006 03:07 PM

sudo password

i have installed sudo in a hpux 11i trusted system.i configured so that my helpdesk user can change password. while they go for changing password most of the time it is asking for the password, not all time. how i can disable it. what is the policy for askinf password.
0 Kudos
6 REPLIES 6
Yogeeraj_1
Honored Contributor

‎02-22-2006 03:31 PM

‎02-22-2006 03:31 PM

Re: sudo password

hi khashru,


can you post the sudoers file?

sudo can be configured to behave in just this fashion. There are options to require passwords sometimes and to not require passwords at other times.

regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Senthil Kumar .A_1
Honored Contributor

‎02-22-2006 03:40 PM

‎02-22-2006 03:40 PM

Solution

Re: sudo password

Hi Khashru ,

try using the key word "NOPASSWD" in you /etc/sudoers file. If you paste ur sudoers file in this thread, we could be of more help ,as to where we need to tag that Keyword.

Regards,
Senthil
Let your effort be such, the very words to define it, by a layman - would sound like a "POETRY" ;)
0 Kudos
Arunvijai_4
Honored Contributor

‎02-22-2006 03:48 PM

‎02-22-2006 03:48 PM

Re: sudo password

Hi Khashru,

This link should help you..

http://www.afp548.com/article.php?story=20051025103428232
[Essential Sudoers]

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
blubrick
Occasional Advisor

‎02-22-2006 04:06 PM

‎02-22-2006 04:06 PM

Re: sudo password

Hi Khashru,

When a user runs sudo, sudo creates a timestamp file for that user with an expiry of 5 minutes. If the user's timestamp file is younger than 5 minutes (default value), sudo will allow that user to run the command without a password. If the timesatmp is older than 5 minutes, the user has to supply their password.


If you want the helpdesk user to only ever run "sudo passwd" without being prompted for their password, you will need to edit the "sudoers" file.

You will need something like the following entries:

# Define a user group
User_Alias HELPDESK = username1,username2
# Define a command group
Cmnd_Alias PASSWD = /usr/bin/passwd
# Define a host group
Host_Alias PROD = hpbox1, hpbox2
# Define what command group(s) a user group may run, on which hosts and how
# Note that passwd root is denied.
HELPDESK PROD = NOPASSWD: PASSWD !/usr/bin/passwd root

In this example, username1 and username2 may run the passwd command for any user except root on hosts hpbox1, and hpbox2.


You can also reset the value of the timestamp timeoout in the sudoers file. Setting it to 0 will force sudo to ALWAYS prompt for a passwd.

eg:
timestamp_timeout = 0


Ensure that you only ever edit the sudoers file via the visudo utility, as it performs a syntax check on the sudoers file after you save your changes, but before writing the file to its location in the filesystem.

DISCLAIMER
==========
Because sudo is one of those utilities that can bypass standard security measures, it is not wise to go making changes to the default behaviour unless you really understand what you are doing. I would strongly advise you to read the sudo(1m), sudoers(4) and visudo(1m) manpage carefully before turning off password prompting for your helpdesk staff.
Growing old is unavoidable, growing up is optional.
0 Kudos
Yogeeraj_1
Honored Contributor

‎02-22-2006 04:49 PM

‎02-22-2006 04:49 PM

Re: sudo password

hi again,

I would also suggest that you run the configure with this option: --disable-root-sudo

By doing this, you won't get in a situtation where someone can do a sudo sudo /bin/sh and become root... The INSTALL file packaged with sudo has many other options that you can also review...

You must be careful about the permissions you giving people with sudo. For instance, if you give someone ALL:/usr/bin/chmod or ALL:/usr/bin/chown, they will be able to take over any file on the system, including /etc/sudoers.

Hence as a general rule, before you give a user sudo premissions, ask yourself: "Does this person REALLY need to run this command as root in order to do their job."

You can also set sudo to track the messages by altering /etc/syslog.conf. (You may as well send the messages to a totally different machine to make it very difficult for a user to cover their 'sudo tracks'.)

One preventive measure will be to also copy the sudo executible to /usr/local/bin/ and redirect the users there via /etc/PATH. Then if whatever directory sudo is found in gets corrupted either accidently or on purpose, sudo still works.

hope this helps too!

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Khashru
Valued Contributor

‎02-22-2006 04:51 PM

‎02-22-2006 04:51 PM

Re: sudo password

I have user nopassword option.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.