HPE Community
Operating System - HP-UX
1836174 Members
2029 Online
110096 Solutions
New Discussion

Sudo

 
Noa Harel_2
Advisor

‎06-15-2003 03:22 AM

‎06-15-2003 03:22 AM

Sudo

Hi all
I Installed sudo and it works wonderfull.
I have one little problem.
I gave a user the option to "kill -9" processes. But he can only "kill -9" his own pids. Anyone knows the corrcet syntax for visudo to let him kill anything but root's pids?
Thank you.
Noa.
0 Kudos
Reply
8 REPLIES 8
Michael Steele_2
Honored Contributor

‎06-15-2003 04:40 AM

‎06-15-2003 04:40 AM

Re: Sudo

Is visudo displaying errors because it can't parse an entry in the sudoers file, what error?

You may need to set the 'stay_setuid' parameter in the sudoers file.

Are you using 'runas_spec'? Note this section:

operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT, /usr/oper/bin/
The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin.

...where the command set described above refers to alias' built within:

Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill

http://www.sudo.ws/sudo/man/sudoers.html#examples

http://www.sudo.ws/sudo/man/visudo.html
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Noa Harel_2
Advisor

‎06-15-2003 05:48 AM

‎06-15-2003 05:48 AM

Re: Sudo

Hi,
Here is the file I'm using.
The kill command works - but only for the same user running it - I mean:
If my user is acadminhd and i'm running
ps -ef |grep acadminhd
and then
kill -9 $$ (where $$ is the pid I foubd on the "ps -ef") - it works.
BUT if my user is acadminhd and I run "ps -ef |grep
and then
kill -9 <$$ of another user> - it doesn't work. I get the "permission denied".

Help ((:
Noa
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-15-2003 04:09 PM

‎06-15-2003 04:09 PM

Re: Sudo

Hi Noa,

I would say use Runas_Alias and specify a group of users in it and then use it in declaring the kill command.

Runas_Alias VICTIMS = user1, user2, user3Cmnd_Alias KILLIT = /usr/bin/kill

...
user ALL = (VICTIMS) NOPASSWD: KILLIT


The User 'user' should be able to kill the processes as "VICTIMS" without supplying the password.

Look at the man page of "sudoers" for more information.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
dirk dierickx
Honored Contributor

‎06-15-2003 10:12 PM

‎06-15-2003 10:12 PM

Re: Sudo

perhaps you need to post your sudoers file, so that we can check if there is something wrong with it or not...
0 Kudos
Reply
Noa Harel_2
Advisor

‎06-15-2003 10:24 PM

‎06-15-2003 10:24 PM

Re: Sudo

I did publish the file.
look up.. (:
0 Kudos
Reply
Noa Harel_2
Advisor

‎06-15-2003 11:50 PM

‎06-15-2003 11:50 PM

Re: Sudo

The problem with using the "Victims" solution is that I need to put there up to 400 users.
Is there any way to use a group instead?
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎06-16-2003 10:19 AM

‎06-16-2003 10:19 AM

Re: Sudo

Write a little wrapper script called "killany" and stick it someplace like /usr/local/sbin.
Add it to your sudoers file.

You can set the script logic to allow a kill -9 of any process if the owner is not root (or whatever)
Remember, wherever you go, there you are...
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-16-2003 10:41 AM

‎06-16-2003 10:41 AM

Re: Sudo

Sure. Specify a group instead of user1, user2 etc.,

Runas_Alias VICTIMS = %usergroup

user ALL = (VICTIMS) /usr/bin/kill

user%myhost>sudo -u user1 kill 12120

Where 12120 is the pid of the process run by user1 in the group 'usergroup'.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.