HPE Community
Operating System - HP-UX
1833776 Members
2260 Online
110063 Solutions
New Discussion

user with full read priv

 
SOLVED
Go to solution
Rasheed Tamton
Honored Contributor

‎11-08-2003 10:32 PM

‎11-08-2003 10:32 PM

user with full read priv

Hi,

I just got a quick question from a friend about creating a user in a HP 11.0 box who can read all the files in the system including the files owned and read only by root.
,e.g., the history file
-r-------- 1 root root 11257 Nov 5 10:54 /.sh_history


Is it possible with sudo or sam -r. Or is there any other way to achieve it. Or is it not a workable idea.

Please advise.
Thanks
Rasheed.
0 Kudos
Reply
18 REPLIES 18
U.SivaKumar_2
Honored Contributor

‎11-08-2003 10:39 PM

‎11-08-2003 10:39 PM

Re: user with full read priv

Hi,

you can use su or sudo to switch to root privelge at times you require. for su you require root password.

Another crude idea is to create a user with UID and GID as 0 ( edit /etc/passwd file as root).

And for any of the methods you require root's delegation consent/help initially, except you hack the system ;-) .

regards,

U.SivaKumar.


Innovations are made when conventions are broken
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎11-08-2003 10:43 PM

‎11-08-2003 10:43 PM

Re: user with full read priv

Thanks Siva.

Sorry, may be my question was not clear enough.

I want this user to ONLY READ every files on the system same as a super user can do but NO WRITE privilege to any of the super user files.

Rasheed.
0 Kudos
Reply
DGH_2
Valued Contributor

‎11-08-2003 10:46 PM

‎11-08-2003 10:46 PM

Re: user with full read priv

Hi,
this can be done by sudo.
Download the software and go to /etc/sudoers file.(remember, edit with "visudo") to give the user access to root commands.
Attached an example of the sudoers file.
Remember to be super-user to give acces to this file.
If you need more help,Please ask.
Regards
DGH
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎11-08-2003 10:50 PM

‎11-08-2003 10:50 PM

Re: user with full read priv

Hi,

I have not tested, but maybe using "sudo" to run "cat" command as root ...

Kind regards,
Zigor
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎11-08-2003 10:57 PM

‎11-08-2003 10:57 PM

Re: user with full read priv

Hi,

Sudo is already setup on the system. But I just would like to know the correct commands (or sequence of commands) to achieve this on the sudoers file. If anyone can advise, I would appreciate it.

Thank you
Rasheed.
0 Kudos
Reply
DGH_2
Valued Contributor

‎11-08-2003 11:29 PM

‎11-08-2003 11:29 PM

Re: user with full read priv

can you tell me what version of sudo do you have?

DGH
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎11-08-2003 11:38 PM

‎11-08-2003 11:38 PM

Re: user with full read priv

Hi,

Edit /etc/sudoers

rasheed ALL = /usr/bin/more
rasheed ALL = /usr/bin/cat

Now as login as `rasheed`

$ sudo more /.sh_history

regards,

U.SivaKumar


Innovations are made when conventions are broken
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎11-08-2003 11:41 PM

‎11-08-2003 11:41 PM

Re: user with full read priv


Sudo version 1.6.3p

Rgds.
Rasheed.
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎11-08-2003 11:56 PM

‎11-08-2003 11:56 PM

Solution

Re: user with full read priv

Hi ,

Edit /etc/sudoers

rasheed ALL=NOPASSWD: /usr/bin/cat,/usr/bin/more,/usr/bin/tail

regards,

U.SivaKumar


Innovations are made when conventions are broken
Reply
DGH_2
Valued Contributor

‎11-09-2003 06:22 PM

‎11-09-2003 06:22 PM

Re: user with full read priv

Hi,
1- go to /usr/local/sbin and type
# ./visudo

this will open the sidorers file to edit it.
and this is an example of the file:

# User privilege specification
root ALL=(ALL) ALL
user ALL=(ALL) ALL


# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
user ALL=(ALL) NOPASSWD: ALL

2- change the permission to the file /usr/local/bin/sudo.
---S--x--x 1 root root 114688 Oct 15 13:58 sudo

3- edit the .profile of the user and add the PATH :/usr/local/bin

4- login with the user.
5- if you want to read the history file type:
# sudo /.sh_history


Regards
0 Kudos
Reply
DGH_2
Valued Contributor

‎11-09-2003 06:23 PM

‎11-09-2003 06:23 PM

Re: user with full read priv

Sorry the last command should be
# sudo more /.sh_history


DGH
0 Kudos
Reply
Thayanidhi
Honored Contributor

‎11-09-2003 10:47 PM

‎11-09-2003 10:47 PM

Re: user with full read priv

Hi,

There is another workaround without using "sudo".

copy the cat command to another name.

#cp /usr/bin/cat /usr/bin/new_cat

set the setuid bit on this executable.

#chmod u+s /usr/bin/new_cat

from user login if you try

$/usr/bin/new_cat

user can read any file.

i.e the cat process will run as root user.

Warning: Any user knowing this cammand can use this and will be security
problem.

TT
Attitude (not aptitude) determines altitude.
0 Kudos
Reply
hein coulier
Frequent Advisor

‎11-10-2003 12:16 AM

‎11-10-2003 12:16 AM

Re: user with full read priv

It is a bad idea to add 'more' to the sudoers file since you can execute commands via 'more' (eg !ll).

I'd go for the cat command.
0 Kudos
Reply
hein coulier
Frequent Advisor

‎11-10-2003 12:17 AM

‎11-10-2003 12:17 AM

Re: user with full read priv

if you need to peek at a large file, you can user (sudo cat $file)|more
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎11-10-2003 10:08 PM

‎11-10-2003 10:08 PM

Re: user with full read priv

Thanks all again. I was too busy to test it out. The one from Siva really works. But the problem is when I tested after seeing Hein coulier's suggestion about !ll, I tested it with a shell from more screen.

what I did as the sudo user

sudo more /.rootsfile

Then I got the rootsfile on my screen. But when I did :sh from the more screen I got the shell as expected. But when I typed whoami -- alas, it is root!

So this is what I really do not want to happen at all. So there might be a little more tuning required in the sudoers file. Can anyone look into it.

Thank you
Rasheed.
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎11-10-2003 11:25 PM

‎11-10-2003 11:25 PM

Re: user with full read priv

Hi,

Try using "pg" command, not "more". It has the "-r" option:
" ...-r Restricted mode. The shell escape is disallowed.
pg will print an error message but does not exit."

HTH
Kind regards,
Zigor
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎11-11-2003 12:47 AM

‎11-11-2003 12:47 AM

Re: user with full read priv

Another way to disable things like the shell escape from more would be to use a wrapper that sets the SHELL variable (which is used to run scripts) to /bin/false or even an empty value. This way those commands fail to run any shell routines.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎11-11-2003 10:57 PM

‎11-11-2003 10:57 PM

Re: user with full read priv

Is there any other solution. Plase advise.

Thanks
Rasheed.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.