HPE Community
Operating System - HP-UX
1826028 Members
3299 Online
109690 Solutions
New Discussion

Re: sudo with limited permission

 
tom quach_1
Super Advisor

‎12-19-2005 09:29 PM

‎12-19-2005 09:29 PM

sudo with limited permission

Hi All,

Would like to have your advices on sudo issue.
how can i assign full control of a printer for a user or group of users by using sudo.
if i assign command lpfence using sudo for a user. Is there a way to only allow him to control only his printers. lpfence involves with shuting down the spooler (lpshut).
Please advice!
Regards,
Tom

0 Kudos
Reply
4 REPLIES 4
RAC_1
Honored Contributor

‎12-19-2005 09:42 PM

‎12-19-2005 09:42 PM

Re: sudo with limited permission

Does all users belong to one single group?
then,
cmnd_alias lp_commands=/usr/sbin/lpfence, lpshut, xxyc, ereette
%group_name ALL=lp_commands

This would give all users in group_name access to all commands that you specify for alis lp_commands.
There is no substitute to HARDWORK
0 Kudos
Reply
Jesús Couto Fandiño
Occasional Advisor

‎12-19-2005 10:25 PM

‎12-19-2005 10:25 PM

Re: sudo with limited permission

Bit tedious, but you can define the command for each user, and add to the command the argument for the printer. That is, instead of defining a alias for the printer commands and assigning it to a group, you have to define 1 line per user & printer :

jcouto ALL = (root) /usr/sbin/lpfence coutoprinter

now I could call sudo /usr/sbin/lpfence coutprinter 10 BUT sudo would not let me do the lpfence for any other printer.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-20-2005 12:53 AM

‎12-20-2005 12:53 AM

Re: sudo with limited permission

The lp user has permission to run the lp commands but I suspect that you don't want the helpers to use *every* lp command. In the sudoers file, you can enumerate each of the allowed commands. The usual commands would be lpadmin (but you may need to limit the options in case a helper accidently deletes a printer), cancel, accept, reject. The good news is that you only need to create the sudo user once with all the needed commands.


Bill Hassell, sysadmin
0 Kudos
Reply
tom quach_1
Super Advisor

‎12-23-2005 11:12 PM

‎12-23-2005 11:12 PM

Re: sudo with limited permission

Thanks- Rac, Jesu', Bill for your help.


this line in my sudoers file works fine
tom ALL = NOPASSWD:/usr/bin/cancel
but if i added a printer name "printer1" at the end, sudo will prompt for a password.
tom ALL = NOPASSWD:/usr/bin/cancel printer1
or even i used command from jesu'
tom ALL = (root)/usr/bin/cancel printer1

it still asks for a password.

is there a way for sudo to assign certain permission for certain user to take of certain task.
ex:cancel command to allow users to canccel only printers assign to him in sudoers file or assign kill command and only allow him to kill processes in his group.

Regards,
Tom


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.