HPE Community
Operating System - HP-UX
1834915 Members
2654 Online
110071 Solutions
New Discussion

Using Sudo with changing commandline "su root -c $commandline"

 
SOLVED
Go to solution
Roderick Derks
Frequent Advisor

‎02-13-2006 12:08 AM

‎02-13-2006 12:08 AM

Using Sudo with changing commandline "su root -c $commandline"

Hello,

Got this little problem to be solved:

Application X has an own adduser.sh script in which new users are being created.
In this script the command "su root -c $commandline" is being used.

Problem is that a regular user (application manager) now needs the root password to execute this command. I don't want to give the root password to this regular user. I want to seperate the system admin and the application admin completely.

I thought off using SUDO. But the problem is that the "$commandline" changes everytime. So It's not a fixed command that I can add to the list with "visudo"

Has anyone got an idea?

System:
Unix HP-UX B.11.11 U 9000/800
0 Kudos
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎02-13-2006 12:16 AM

‎02-13-2006 12:16 AM

Re: Using Sudo with changing commandline "su root -c $commandline"

Shalom Roderick,

Suggestion: create a control script that has sudo privileges.

That script can be permitted to accept certain command lintes. If not carefully crafted, this creates a security hole.

You must limit the command line via some mechanism.

Its not outside the world of possibilities to grant sudo priviledges to the command that the adduser.sh script calls. Perhaps go through it and look for a safe candidate for sudo.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Roderick Derks
Frequent Advisor

‎02-13-2006 12:29 AM

‎02-13-2006 12:29 AM

Re: Using Sudo with changing commandline "su root -c $commandline"

Hola!

Let me see if I understand this correctly:
create a script with all possibilities that the "$commandline" can have?

That should be a problem because the $commandline contains 5 variables, including a username. The username changes everytime, hundreds of users are being created.

Maybe it is possible to make a script that adds the "su root -c $command" to the sudo list using visudo, and removes it afterwards. But that would be a somewhat ridiculous way to compensate for the lack of security in the application.
0 Kudos
Ivan Ferreira
Honored Contributor

‎02-13-2006 02:09 AM

‎02-13-2006 02:09 AM

Solution

Re: Using Sudo with changing commandline "su root -c $commandline"

Ho Roderick:

What is the problem of granting to the user the executing of the script without parameters?

If your script is called /usr/local/sbin/myscript.sh, and you grant the execution of that script, it does not matters the parameters passed to the script. You can control what parameters can't be passed for example or fine tune. So, in your script, instead of "su root -c $cmdline" you will have "sudo /usr/local/sbin/myscript.sh $cmdline". If myscript.sh is allowed in sudoers, this will run without problems.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Devender Khatana
Honored Contributor

‎02-13-2006 06:50 PM

‎02-13-2006 06:50 PM

Re: Using Sudo with changing commandline "su root -c $commandline"

Hi,

In my place we have sudo configured where it do not consider arguments. In such a scenario I think there will be problems in giving su permissions to users.

A user allowed to do "sudo su - user" can easily do "sudo su - root" and then whatever he wants. Even if this is not the case check this out before finally giving it to users.

BTW, we have sudo for some other commands where arguments do not matter much.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Muthukumar_5
Honored Contributor

‎02-13-2006 06:57 PM

‎02-13-2006 06:57 PM

Re: Using Sudo with changing commandline "su root -c $commandline"

Is $commandline script to create user only? or you will change the command as useradd / userdel like that?

If you are going to use specific utility of useradd then you can add useradd command to get access for execution as root.

Put that in a script and execute it as $commandline.

or setup r* commands setup with .rhosts file to that regular user and root user.

--
Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Roderick Derks
Frequent Advisor

‎02-24-2006 12:26 AM

‎02-24-2006 12:26 AM

Re: Using Sudo with changing commandline "su root -c $commandline"

Thanks everyone for your ideas. Got it working.

#visudo
username ALL= NOPASSWD: /usr/bin/su *

In the applicationscript I added the sudo command at beginning of the command line.

So you get:
sudo -u root adduser username homedir etc.

Think this will also work, got to to test it:
#visudo
username ALL= NOPASSWD: /usr/bin/su *adduser*
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.