HPE Community
Operating System - HP-UX
1827810 Members
2105 Online
109969 Solutions
New Discussion

sudo user unable to execute

 
rdasari
Occasional Contributor

‎09-10-2009 12:27 PM

‎09-10-2009 12:27 PM

sudo user unable to execute

Hi All :

I am getting the following for a sudo user :

"Sorry, user richard is not allowed to execute '/usr/bin/kill -hup 15284' as root on pwpsp."

The sudoers file is set as :

richard ALL=/apps/dlc101b/bin/proshut, /usr/bin/kill

Any help is greatly appreciated.


Regards,

Ramamurthy Dasari

0 Kudos
Reply
3 REPLIES 3
Jeff_Traigle
Honored Contributor

‎09-10-2009 12:33 PM

‎09-10-2009 12:33 PM

Re: sudo user unable to execute

Probably a syntax error. That entry doesn't look right to me. Did you use visudo to edit the sudoers file? It'll catch syntax errors nicely. Try:

richard ALL=(root) /apps/dlc101b/bin/proshut, /usr/bin/kill

Of course, giving someone blanket kill privileges like this is pretty dangerous stuff.
--
Jeff Traigle
0 Kudos
Reply
rdasari
Occasional Contributor

‎09-10-2009 12:41 PM

‎09-10-2009 12:41 PM

Re: sudo user unable to execute

Jeff :

Thanks for the quick response. The syntax was correct as posted. I had even tried the way you stated but still getting the same error.

Also what do you mean by blanket kill priviledges.


Thanks & Regards,

Ramamurthy Dasari
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎09-10-2009 01:09 PM

‎09-10-2009 01:09 PM

Re: sudo user unable to execute

I seem to recall having some issues having multiple commands directly in the line like that. Maybe my mind playing tricks on me. I always use aliases in sudoers. Keeps things more organized for complex configurations and avoids the problem. Might try something like this and see if you have better luck:

User_Alias SOMEGUY = richard
Cmnd_Alias SOMEGUY_CMNDS = /apps/dlc101b/bin/proshut, /usr/bin/kill

SOMEGUY ALL=(root) SOMEGUY_CMNDS

(You can name the aliases whatever you like.)

As for the danger of giving someone open access to the kill command this way... with no restriction on what they can kill, there's nothing to stop him from killing any process on the system... any OS process, database, application, etc. One typo or malicious execution and the system/database/application could come down in a very unpleasant manner. If there are only certain processes the user should really have a need to kill as root, I'd create a wrapper script to be sure those processes are the only ones they could kill. If all of the processes are owned by a particular non-root user, you could also safeguard the system somewhat better by putting that user in the config instead of root, like this:

Runas_Alias OTHERUSER = somename
SOMEGUY ALL=(OTHERUSER) /usr/bin/kill

Also, be concerned about file and directory permissions for commands you grant access to, especially ones allowed to run as root. The person shouldn't be able to change /apps/dlc101b/bin/proshut by having write permission to it or the directory /apps/dlc101b/bin if they are allowed to run the command as root. That's another avenue for them to do whatever they want to do on the system.
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.