HPE Community
Operating System - HP-UX
1826723 Members
2647 Online
109702 Solutions
New Discussion

Re: Sudoers file

 
ozas
Advisor

‎01-21-2011 07:20 AM

‎01-21-2011 07:20 AM

Sudoers file

Hi,

Please just a quick one. Does any one know how I can restrict users from being able to switch to root in sudoers file??
Presently the users are defined in the sudoers file and could switch to another user without password but I do not want them to be able to switch to root.
0 Kudos
Reply
13 REPLIES 13
Patrick Wallek
Honored Contributor

‎01-21-2011 07:35 AM

‎01-21-2011 07:35 AM

Re: Sudoers file

Use a command alias like this:

Cmnd_Alias SU=!/usr/bin/su â , !/usr/bin/su *root*

Add this to each user and they should not be able to su to root.
0 Kudos
Reply
ozas
Advisor

‎01-21-2011 08:01 AM

‎01-21-2011 08:01 AM

Re: Sudoers file

I have tried that before it did not work.
See below my sudoers file, maybe I need to change anything.

This is the sudoers file:

# User_Alias

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe,r032ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe

#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=(ALL) NOPASSWD: ALL
WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

What I want is that the users in WAS should not be ble to switch to root,
but they should be able to switch to user "wasdevadmin".
Only users in SUPPORT should be able to switch to root.
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-21-2011 08:14 AM

‎01-21-2011 08:14 AM

Re: Sudoers file

> WAS ALL=(ALL) NOPASSWD: ALL
> WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin


The first line is saying to allow the WAS users to run any command on any host as any user. The second line is redundantly saying to allow WAS users to run the su commands specified on all hosts as root. You don't have anything restricting them from running su to root as a previous post stated to do.
--
Jeff Traigle
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎01-21-2011 08:15 AM

‎01-21-2011 08:15 AM

Re: Sudoers file

What about the following:

WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

You also have 2 lines for WAS. I don't remember which will take priority, but the 2 may be conflicting.

What happens if you comment out the first WAS line?
0 Kudos
Reply
ofure
Occasional Advisor

‎01-21-2011 09:18 AM

‎01-21-2011 09:18 AM

Re: Sudoers file

Thanks for your prompt reply. This has partly resolved the issue. At least users in WAS cannot su to root again but now the WAS cannot switch to wasdevadmin user.
I want a situation where they can switch to wasdevadmin without been prompted for a password.

Regards

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎01-21-2011 09:52 AM

‎01-21-2011 09:52 AM

Re: Sudoers file

What does your sudoers file look like now?
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-21-2011 01:06 PM

‎01-21-2011 01:06 PM

Re: Sudoers file

> I want a situation where they [= the users in sudo group WAS] can switch to wasdevadmin without been prompted for a password.

You need this line in your sudoers file:

WAS ALL=(wasdevadmin) NOPASSWD: ALL

Then tell your users to use the sudo command like this:

sudo -H -u wasdevadmin -i
(to run a shell as wasdevadmin; equivalent to "sudo su - wasdevadmin")

...or like this:

sudo -H -u wasdevadmin
(to run as wasdevadmin and then continue the session as themselves)

MK
MK
0 Kudos
Reply
ofure
Occasional Advisor

‎01-22-2011 03:41 AM

‎01-22-2011 03:41 AM

Re: Sudoers file

Below is how my sudoers file now look:

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
WAS ALL=(wasdevadmin) NOPASSWD: ALL

But the users in WAS still cannot switch to wasdevadmin account. I want the users in WAS to be able to do this without prompting for password. Thanks.
Regards.
0 Kudos
Reply
INH
Regular Advisor

‎01-22-2011 08:54 PM

‎01-22-2011 08:54 PM

Re: Sudoers file

Remove the user name you dont wantthem to do sudo to root in sudoers file

if you have to grant specfic access you can grant in sudoers file for required users. by defining user alis, command alias and host alias for those users


Regards,
INH
Knowledge is power
0 Kudos
Reply
ofure
Occasional Advisor

‎01-24-2011 03:13 AM

‎01-24-2011 03:13 AM

Re: Sudoers file

The challenge I have now is that I want the users in WAS to be able to switch to the account wasdevadmin without prompting for password.
I have tried this below but did not work.

WAS ALL=(wasdevadmin) NOPASSWD: ALL

Regards,
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-24-2011 07:49 AM

‎01-24-2011 07:49 AM

Re: Sudoers file

> WAS ALL=(wasdevadmin) NOPASSWD: ALL

When you use this sudoers line, your user *must* use "sudo -u wasdevadmin -i" or similar sudo command to become wasdevadmin. The "-H" option is optional, but probably in line with the user's expectations.

With this sudoers line, a command like "sudo su wasdevadmin" or "sudo su - wasdevadmin" will *not* work. This is because these commands first use sudo to become root, then use su to become the target user. Sudo can do it in one step - but it requires that the user uses the correct syntax.

MK
MK
0 Kudos
Reply
ofure
Occasional Advisor

‎02-17-2011 02:37 AM

‎02-17-2011 02:37 AM

Re: Sudoers file

Hi All,

When I type this:
sudo -u wasdevadmin -i
it works without prompting me for password but it is a long command. I want to be able to type
su - wasdevadmin and for it to call up
sudo -u wasdevadmin -i

Presently, I have this configuration:

#cd /bin
# ls -l su*
root root 45 Feb 16 17:17 su
root root 28336 Oct 30 2008 su.original

# cat su
sudo su.original $@

So presently when I type su -, it call up sudo su.original, which works fine for my switching to root access.
How can I also have:
"sudo -u wasdevadmin -i" equal to "su - wasdevadmin"

Thanks.

0 Kudos
Reply
ofure
Occasional Advisor

‎02-17-2011 04:24 AM

‎02-17-2011 04:24 AM

Re: Sudoers file

I have resolved this by creating an alias for wasdevadmin.

Thanks all.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.