HPE Community
Operating System - HP-UX
1752434 Members
5867 Online
108788 Solutions
New Discussion юеВ

I need to give access to some root command to non-root user - SUDO Configuration

 
SOLVED
Go to solution
Narendra Uttekar
Regular Advisor

тАО09-19-2010 08:51 PM

тАО09-19-2010 08:51 PM

I need to give access to some root command to non-root user - SUDO Configuration

Hi,
I need to give access to some root command i.e. cancel command to cancel only specific job or all jobs in HP-UX print queue to non-root user. I know this can be done through SUDO Configuration.
But please can someone let me know how to do this SUDO configuration i.e. which are the files i need to edit, where i need to give the access to non-root user and where i need to provide the list of the root command so that non-root user can execute.

Thanks,
Narendra
0 Kudos
9 REPLIES 9
Hakki Aydin Ucar
Honored Contributor

тАО09-19-2010 09:51 PM

тАО09-19-2010 09:51 PM

Solution

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hi,
do you know this link:
http://www.sudo.ws/

and check also this:
http://docs.hp.com/en/B3921-60631/pt02.html
0 Kudos
Horia Chirculescu
Honored Contributor

тАО09-19-2010 10:27 PM

тАО09-19-2010 10:27 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hello,
Here you can find the commands used to manage printers:

http://docs.hp.com/en/B2355-90950/ch07s01.html

Please read first the document concerning "Planning Printer Configuration":

http://docs.hp.com/en/B2355-90950/ch02s07.html

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Horia Chirculescu
Honored Contributor

тАО09-19-2010 11:15 PM

тАО09-19-2010 11:15 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

From man sam, we can find that there is an option called:

----------------

Restricted SAM
SAM can be configured to provide a subset of its functionality to
certain users or groups of users. It can also be used to build a
template file for assigning SAM access restrictions on multiple
systems. This is done through the Restricted SAM Builder. System
administrators access the Restricted SAM Builder by invoking SAM with
the -r option (see "Options" above). In the Builder, system
administrators may assign subsets of SAM functionality on a per-user
or per-group basis. Once set up, the -f option (see "Options" above)
can then be used by system administrators to verify that the
appropriate SAM functional areas, and only those areas, are available
to the specified user.

A nonroot user that has been given Restricted SAM privileges simply
executes /usr/sbin/sam and sees only those areas the user is
privileged to access. For security reasons, the "List" and "Shell
Escape" choices are not provided. (Note that some SAM functional
areas require the user to be promoted to root in order to execute
successfully. SAM does this automatically as needed.)

SAM provides a default set of SAM functional areas that the system
administrator can assign to other users. Of course, system
administrators are able to assign custom lists of SAM functional areas
to users as necessary.

----------------

You could use this to assign the desired rights to your non-root user.

Horia.
Best regards from Romania,
Horia.
0 Kudos
Bijeesh
Respected Contributor

тАО09-19-2010 11:25 PM

тАО09-19-2010 11:25 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hi,
Hope sudo is installed in your system.
Add the entry in your sudo configuration file.

#visudo

username /usr/bin/cancel

Hope this work.




0 Kudos
Narendra Uttekar
Regular Advisor

тАО09-20-2010 05:15 AM

тАО09-20-2010 05:15 AM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hi,
I have made the entries in sudoers configuration file as below for one user to have access only one command i.e. cancel. Please let me know whether this configuration is fine or do i need to change. As this configuration is working fine just want to confirm. And also want to make sure installing sudo software is not having any system risk.


# User alias specification
User_Alias USER1=xyzuser

# Cmnd alias specification
Cmnd_Alias COMMAND1=/usr/bin/cancel

# User privilege specification
root ALL=(ALL) ALL
USER1 ALL=NOPASSWD:COMMAND1

Thanks,
Narendra
0 Kudos
Horia Chirculescu
Honored Contributor

тАО09-20-2010 11:23 PM

тАО09-20-2010 11:23 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Do not forget about

Defaults requiretty

To force running sudo only when the user is logged in to a real tty.

If you have a script or cronjob that will do the user's job, you have to unset this flag.


For other considerations/flags, see

http://www.sudo.ws/sudo/sudoers.man.html

Best regards
Horia.
Best regards from Romania,
Horia.
0 Kudos
nightwich
Valued Contributor

тАО09-21-2010 02:38 AM

тАО09-21-2010 02:38 AM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hi Narendra


One alternative to sudo is to use RBAC.


If you want take a try:

HP-UX Role-Based Access Control (RBAC)


Regards.
0 Kudos
prajul.keeriyat
Occasional Advisor

тАО09-22-2010 12:48 PM

тАО09-22-2010 12:48 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Hi,

You have to edit sudo conf. file and put an entry in # Cmnd alias specification with full path of cmd.(usr/bin/cancel)

Thanks,
Praju







0 Kudos
Narendra Uttekar
Regular Advisor

тАО10-14-2010 11:30 PM

тАО10-14-2010 11:30 PM

Re: I need to give access to some root command to non-root user - SUDO Configuration

Thanks for the solution.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.