HPE Community
Operating System - HP-UX
1823924 Members
3112 Online
109667 Solutions
New Discussion юеВ

sudo

 
SOLVED
Go to solution
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 01:00 AM

тАО11-29-2007 01:00 AM

sudo

hello all,

does anyone have any experience with sudo and sudoers.
I want user1 to execute /usr/bin/command as user user2 without a password.
The entry in sudoersis:
user1 all = NOPASSWD user2: /usr/bin/command

It doesn't work. What is going wrong.

Regards, Alfons
0 Kudos
13 REPLIES 13
Dave Hutton
Honored Contributor

тАО11-29-2007 01:03 AM

тАО11-29-2007 01:03 AM

Re: sudo

Does it give you an error? or is it just prompting which obviously your trying to prevent?
0 Kudos
Victor BERRIDGE
Honored Contributor

тАО11-29-2007 01:15 AM

тАО11-29-2007 01:15 AM

Re: sudo

Greetings,

I dont understand you syntax...not sure what you want...

I would do:
user1 = (root) NOPASSWD:/usr/bin/su user2 -c usr/bin/command

Is that what you are trying to achieve?

All the best
Victor
0 Kudos
Victor BERRIDGE
Honored Contributor

тАО11-29-2007 01:33 AM

тАО11-29-2007 01:33 AM

Re: sudo

I hope you corrected:
missing ALL =...

I just tested:
e.g.
sas9 ALL = (root) NOPASSWD:/usr/bin/su vbe -c ksh
ant:/opt/sudo $ id
uid=601(sas9) gid=2(bin)
ant:/opt/sudo $ /usr/local/bin/sudo -l
User sas9 may run the following commands on this host:
(root) NOPASSWD: /usr/bin/su vbe -c ksh
ant:/opt/sudo $ sudo /usr/bin/su vbe -c ksh
ksh: sudo: not found
ant:/opt/sudo $ /usr/local/bin/sudo /usr/bin/su vbe -c ksh
ant:/opt/sudo $ id
uid=200(vbe) gid=2(bin)

All the best
Victor
(putting back sudoers in previous state...)
0 Kudos
Patrick Wallek
Honored Contributor

тАО11-29-2007 01:48 AM

тАО11-29-2007 01:48 AM

Re: sudo

You said:

The entry in sudoersis:
user1 all = NOPASSWD user2: /usr/bin/command


I think that is incorrect. Here is what I have in sudoers:

# Host Aliases
Host_Alias HR=systema,systemb

# User Aliases
User_Alias EDI=ediprod,editest

# Command Aliases
Cmnd_Alias COMMAND=/path/to/command
Cmnd_Alias COMMAND2=/path/to/command2

# User Privilege section
EDI HR=(user1) NOPASSWD: COMMAND, COMMAND2


The above will allow the users defined as EDI in the "User Aliase section" to run the commands defined as COMMAND and COMMAND2 on the systems defined as HR as user1 with no password required.
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 01:56 AM

тАО11-29-2007 01:56 AM

Re: sudo

I'm trying this:

user1 is not allowed in a specific directory, and user2 is.
So I have to allow user1 to run a script in that specific directory.

The entry in sudoers is now:
user1 ALL = (users2) NOPASSWD: /usr/bin/ls

After executing:
/usr/local/bin/sudo -u user2 -s /usr/bin/ls
I get the error:
naxora: sudo: user1: command not allowed; TTY=ttyp3; PWD=/FP01/mto USER=user2; COMMAND=/usr/bin/ksh /usr/bin/ls

Thanks.
0 Kudos
Victor BERRIDGE
Honored Contributor

тАО11-29-2007 02:05 AM

тАО11-29-2007 02:05 AM

Re: sudo

That is why I proposed my syntax...
You have to be user2 first to be abe to access the directory...
and so:
user1 ALL = (root) NOPASSWD:/usr/bin/su user2 -c
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 02:22 AM

тАО11-29-2007 02:22 AM

Re: sudo

Patrick,

I created the file the way You did.
When I do a sudo -l everything is ok.

when I do a:
EDI HR=(user1) NOPASSWD: COMMAND, COMMAND2

I get an error syntax error at line 1 '(' unexpected.
0 Kudos
Patrick Wallek
Honored Contributor

тАО11-29-2007 02:29 AM

тАО11-29-2007 02:29 AM

Solution

Re: sudo


when I do a:
EDI HR=(user1) NOPASSWD: COMMAND, COMMAND2


Where are you doing that? Are you trying to run that from a command prompt? If so, that will definitely not work. That line is part of the sudoers file.

With my configuration in place, an edi user can do a:

$ sudo /path/to/command

and it will run as the user user1 and not request a password.

Have a read through the 'sudoers' man page as a LOT of this is explained pretty well.
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 02:34 AM

тАО11-29-2007 02:34 AM

Re: sudo

Patrick,

no, I was not running that from the command prompt. I was the entry in the sudoers file.

From the command prompt as user "user1" I ran:
/usr/local/bin/sudo -u user2 -s /usr/bin/ls
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 02:39 AM

тАО11-29-2007 02:39 AM

Re: sudo

Victor,

I have Your solution working. Thanks.
I thought Patricks solution should work as well.
So I will give that another shot.

Thanks
0 Kudos
Victor BERRIDGE
Honored Contributor

тАО11-29-2007 02:44 AM

тАО11-29-2007 02:44 AM

Re: sudo

Hi again,
Patrick solution works also, it is equivalent to aliases...

IN Your command line is -s a display artefact or is that you mistake (should be -c)
as user1 what does sudo -l give you?
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 02:48 AM

тАО11-29-2007 02:48 AM

Re: sudo

Victor,

You are correct it should be -c

Thanks to all of You, I will close the thread

Regards, Alfons
0 Kudos
A.G.M. Velthof
Valued Contributor

тАО11-29-2007 02:51 AM

тАО11-29-2007 02:51 AM

Re: sudo

closed
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.