1833888 Members
2013 Online
110063 Solutions
New Discussion

Sudo

 
Noa Harel_2
Advisor

Sudo

Hi all
I Installed sudo and it works wonderfull.
I have one little problem.
I gave a user the option to "kill -9" processes. But he can only "kill -9" his own pids. Anyone knows the corrcet syntax for visudo to let him kill anything but root's pids?
Thank you.
Noa.
8 REPLIES 8
Michael Steele_2
Honored Contributor

Re: Sudo

Is visudo displaying errors because it can't parse an entry in the sudoers file, what error?

You may need to set the 'stay_setuid' parameter in the sudoers file.

Are you using 'runas_spec'? Note this section:

operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT, /usr/oper/bin/
The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin.

...where the command set described above refers to alias' built within:

Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill

http://www.sudo.ws/sudo/man/sudoers.html#examples

http://www.sudo.ws/sudo/man/visudo.html
Support Fatherhood - Stop Family Law
Noa Harel_2
Advisor

Re: Sudo

Hi,
Here is the file I'm using.
The kill command works - but only for the same user running it - I mean:
If my user is acadminhd and i'm running
ps -ef |grep acadminhd
and then
kill -9 $$ (where $$ is the pid I foubd on the "ps -ef") - it works.
BUT if my user is acadminhd and I run "ps -ef |grep
and then
kill -9 <$$ of another user> - it doesn't work. I get the "permission denied".

Help ((:
Noa
Sridhar Bhaskarla
Honored Contributor

Re: Sudo

Hi Noa,

I would say use Runas_Alias and specify a group of users in it and then use it in declaring the kill command.

Runas_Alias VICTIMS = user1, user2, user3Cmnd_Alias KILLIT = /usr/bin/kill

...
user ALL = (VICTIMS) NOPASSWD: KILLIT


The User 'user' should be able to kill the processes as "VICTIMS" without supplying the password.

Look at the man page of "sudoers" for more information.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
dirk dierickx
Honored Contributor

Re: Sudo

perhaps you need to post your sudoers file, so that we can check if there is something wrong with it or not...
Noa Harel_2
Advisor

Re: Sudo

I did publish the file.
look up.. (:
Noa Harel_2
Advisor

Re: Sudo

The problem with using the "Victims" solution is that I need to put there up to 400 users.
Is there any way to use a group instead?
James A. Donovan
Honored Contributor

Re: Sudo

Write a little wrapper script called "killany" and stick it someplace like /usr/local/sbin.
Add it to your sudoers file.

You can set the script logic to allow a kill -9 of any process if the owner is not root (or whatever)
Remember, wherever you go, there you are...
Sridhar Bhaskarla
Honored Contributor

Re: Sudo

Sure. Specify a group instead of user1, user2 etc.,

Runas_Alias VICTIMS = %usergroup

user ALL = (VICTIMS) /usr/bin/kill

user%myhost>sudo -u user1 kill 12120

Where 12120 is the pid of the process run by user1 in the group 'usergroup'.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try