HPE Community
Operating System - HP-UX
1822207 Members
4221 Online
109641 Solutions
New Discussion юеВ

Re: SUDO Setup on my hp-ux 11.0

 
SOLVED
Go to solution
Laurie A. Krumrey
Regular Advisor

тАО08-01-2001 07:00 AM

тАО08-01-2001 07:00 AM

SUDO Setup on my hp-ux 11.0

Hi All,

I have to install SUDO on my hp-ux 11.0 and I
am not sure where to get this and how to install it.

Can someone help me who knows about this product?

Sudo-Challege,
Laurie
Happiness is a choice
0 Kudos
Reply
12 REPLIES 12
Bill McNAMARA_1
Honored Contributor

тАО08-01-2001 07:02 AM

тАО08-01-2001 07:02 AM

Solution

Re: SUDO Setup on my hp-ux 11.0

try http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

for instructions and hp-ux depots.


Later,
Bill
It works for me (tm)
Reply
Sachin Patel
Honored Contributor

тАО08-01-2001 07:09 AM

тАО08-01-2001 07:09 AM

Re: SUDO Setup on my hp-ux 11.0

Hi Laurie,
Once you install it. use visudo command to edit /etc/sudoers file. Sample of that file

# User alias specification
User_Alias OPERATOR = sachin, petec, backup

# Cmnd alias specification
Cmnd_Alias DUMP = /usr/local/etc/cluster_backitup

# User privilege specification
root ALL=(ALL) ALL
OPERATOR ALL = DUMP
Note: Upercase is necessary.

sudo -l to see what is available for user.

Sachin
Is photography a hobby or another way to spend $
Reply
John Payne_2
Honored Contributor

тАО08-01-2001 09:36 AM

тАО08-01-2001 09:36 AM

Re: SUDO Setup on my hp-ux 11.0

You may want to run the configure with this option: --disable-root-sudo That way you don't get in a situtation where someone can do a sudo sudo /bin/sh and become root... The
INSTALL file packaged with sudo has many other options, including insults, which I only use on non-production machines so management doesn't see it and get mad at me.

You want to be careful about the permissions you give people with sudo. For instance, if you give someone ALL:/usr/bin/chmod or ALL:/usr/bin/chown, they will be able to take over any file on the system, including /etc/sudoers. As a general rule, before I give a user sudo premissions, I think "Does this person REALLY need to run this command as root in order to do their job." I also set sudo to track the messages by altering /etc/syslog.conf. (We send the messages to a totally different machine to make it very difficult for a user to cover their 'sudo tracks'.)

I also copy the sudo executible to /usr/local/bin/ and send people there via /etc/PATH. Then if whatever directory sudo is found in gets blown away either accidently or on purpose, sudo still works.
Spoon!!!!
Reply
Sorrel G. Jakins
Valued Contributor

тАО08-01-2001 03:32 PM

тАО08-01-2001 03:32 PM

Re: SUDO Setup on my hp-ux 11.0

John Payne said:
>...including insults, which I only use on non-
>production machines so management doesn't see
>it and get mad at me.

Sorrel Jakins (John Payne's manager) says:
..Unless management reads ITRC forums....
;-)
0 Kudos
Reply
Laurie A. Krumrey
Regular Advisor

тАО08-02-2001 06:06 AM

тАО08-02-2001 06:06 AM

Re: SUDO Setup on my hp-ux 11.0

OK I got sudo installed and my sudoers file
setup.

I need to figure out how to make sudo
track the messages in the etc/syslog.conf.
But I am not sure how to do this. I want to make this very difficult for a user to cover their 'sudo tracks'.

How do I edit this etc/syslog.conf?

Thank you,
Laurie
Happiness is a choice
0 Kudos
Reply
John Payne_2
Honored Contributor

тАО08-02-2001 08:08 AM

тАО08-02-2001 08:08 AM

Re: SUDO Setup on my hp-ux 11.0

Add the following to /etc/syslog.conf:

local2.debug /var/adm/syslog/sudo.log

Then touch the file /var/adm/syslog/sudo/log

Then do a 'kill -HUP xxxxx' where xxxxx is your syslog's current process. (This makes syslog re-read the syslog.conf.) Then the sudo logs will go to both your syslog and the sudo.log. The name sudo.log is just what I use. You could call it anything you want, really. I put them in both places because it is easier to search the sudo.log than the syslog.
Spoon!!!!
Reply
Laurie A. Krumrey
Regular Advisor

тАО08-02-2001 09:03 AM

тАО08-02-2001 09:03 AM

Re: SUDO Setup on my hp-ux 11.0

Hi John,

I assumed you meant touch /var/adm/syslog/sudo.log

Well I did all that and my sudo.log is empty
when I tested it, but my activity on sudo
still goes to syslog.

Also I have never seen any messages about
unauthorized users. I tried to use sudo on
a end-users account who does not have access
and I am not sure where or how this is being
logged. Though the end-user gets the error
message Execute permission denied.

Thanks so much for you help...THis sudo stuff
is lots of fun, if I know what I'm doing.
Right now I think I gave the account too
much access.

How come my sudo.log isn't logging? I followed
all your instructions...

Laurie
Happiness is a choice
0 Kudos
Reply
John Payne_2
Honored Contributor

тАО08-02-2001 12:51 PM

тАО08-02-2001 12:51 PM

Re: SUDO Setup on my hp-ux 11.0

Does your sudo.log have the write permission for root? ie.
-rw-r--r-- 1 root sys 1142 Aug 1 10:41 sudo.log

What I listed is all I do to configure it, and it seems to work just fine... Here is a sample of the output from my sudo.log:

Jul 23 17:06:49 bastian sudo: jjp : TTY=pts/1 ; PWD=/usr/sbin ; USER=root ;
COMMAND=/usr/sbin/sam -r
Jul 23 17:07:58 bastian sudo: jjp : TTY=pts/1 ; PWD=/usr/sbin ; USER=root ;
COMMAND=/usr/sbin/sam -r
Aug 1 10:09:05 bastian sudo: jjp : TTY=pts/1 ; PWD=/opt/sudo ; USER=root ;
COMMAND=/usr/bin/rm -r MD5 README linux_nfs.patch sudo-1.6.3p7 sudo-1.6.3p7.pat
ch.gz sudo-1.6.3p7.tar
Aug 1 10:23:20 bastian sudo: jjp : command not allowed ; TTY=pts/1 ; PWD=/
opt/sudo ; USER=root ; COMMAND=/opt/ssh/bin/sftp2 gumby.byu.edu
Aug 1 10:26:04 bastian sudo: jjp : TTY=pts/1 ; PWD=/opt/sudo ; USER=root ;
COMMAND=/usr/contrib/bin/gunzip sudo-1.6.3p7.tar.gz
Aug 1 10:26:21 bastian sudo: jjp : TTY=pts/1 ; PWD=/opt/sudo ; USER=root ;
COMMAND=/usr/bin/tar -xvf sudo-1.6.3p7.tar
Aug 1 10:27:55 bastian sudo: jjp : command not allowed ; TTY=pts/1 ; PWD=/
opt/sudo/sudo-1.6.3p7 ; USER=root ; COMMAND=./visudo
Aug 1 10:41:23 bastian sudo: jjp : TTY=pts/1 ; PWD=/opt/sudo/sudo-1.6.3p7
; USER=root ; COMMAND=list

I configured sudo with the --enable-log-host, which is why the hostname shows up. (Our syslogs are heading off to a different server, where our enterprise event management happens. This also makes it easy to secure a copy of the sudo log off the host machine.) For the format of the error message, see the Aug 1 10:23:20 message. Also note the Aug 1 10:09:05 message where I 'accidentally' deleted our sudo install. I had copied the sudo executable somewhere else, and sudo continued to work...

The entry for the syslog.conf should acutally be local2.debug /var/adm/syslog/sudo.log, where the blank space is actually a tab... Also, are you sure you actually killed the syslog? If you did it, you will see a 'Aug 2 14:49:47 bastian syslogd: restart' message in the syslog. Let me know if it helps.
Spoon!!!!
Reply
Laurie A. Krumrey
Regular Advisor

тАО08-02-2001 01:23 PM

тАО08-02-2001 01:23 PM

Re: SUDO Setup on my hp-ux 11.0

My sudo stuff is working fine now..thank you.
I didn't use the tab key when I edited the
syslog.conf file. One last question..

Here is my sudo file:

# Host alias specification
Host_Alias SHANTI = shanti

# User alias specification
User_Alias NETBKUP = netbkup

# Cmnd alias specification
Cmnd_Alias NETBACKUP = /usr/ops/scripts/asys_backup.sh

# User privilege specification
root ALL=(ALL) ALL
NETBKUP SHANTI = NOPASSWD: NETBACKUP

The netbkup login is an automated account
that backup all my servers, but I only want
netbkup to execute the one command
asys_backup.sh.

When I list the type of access netbkup
has I get this:

# sudo -l -u netbkup
User root may run the following commands on this host:
(ALL) ALL

Does this mean netbkup can do anything root
can? How do I make it so my account netbkup
only does that one command above?

Should I remove the line root ALL=(ALL) ALL
in the sudo file?

Thanks for you help,
Laurie
Happiness is a choice
0 Kudos
Reply
John Payne_2
Honored Contributor

тАО08-03-2001 07:06 AM

тАО08-03-2001 07:06 AM

Re: SUDO Setup on my hp-ux 11.0

Laurie,

I believe that command you are asking about shows the sudo permissions for the current user. ie when I am logged in as 'jjp' and run the command 'sudo -l -u sgj3', I get the following output:

Bastian:jjp /etc/default# sudo -l -u sgj3
User jjp may run the following commands on this host:
(root) /opt/ignite/bin/
(root) /opt/pred/bin/
(root) /etc/opt/resmon/lbin/
(root) /opt/ssh/bin/sftp2
(root) /usr/bin/
(root) /usr/sbin/
(root) /usr/contrib/bin/
(root) /sbin/init.d/
(root) /opt/unicenter/bin/
(root) /opt/unicenter/atech/services/bin/
(root) /opt/sudo/sudo-1.6.3p7/visudo
(root) /opt/hpnp/bin/jetadmin

Telling me what permissions I have and ignoring the 'sgj3' string. I can not run the command as root because I have disabled root sudo access. (See previous post about root using sudo.) I am not sure how you can confirm how to do that other than 'su - netbkup' and then run the 'sudo -l' command. There doesn't seem to be any other way...

Hope it helps.

John
Spoon!!!!
Reply
Jim Hendrick
Advisor

тАО08-13-2001 07:45 AM

тАО08-13-2001 07:45 AM

Re: SUDO Setup on my hp-ux 11.0


Sudo's main page is at:

http://www.courtesan.com/sudo/index.html
where the latest version is 1.6.3p7

The HP porting and resource center has 1.6.2b1

If you can, I would build the latest. The
build and install are very straightforward.

If you have questions, etc. that you cannot find on the Sudo site, I will try to help.

Later,

Jim H.

0 Kudos
Reply
Jim Hendrick
Advisor

тАО08-13-2001 07:48 AM

тАО08-13-2001 07:48 AM

Re: SUDO Setup on my hp-ux 11.0

OK, OK, I somehow didn't see the TEN other replies...

sounds like you are in good hands.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.