- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Sudoers file
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 07:20 AM
тАО01-21-2011 07:20 AM
Sudoers file
Please just a quick one. Does any one know how I can restrict users from being able to switch to root in sudoers file??
Presently the users are defined in the sudoers file and could switch to another user without password but I do not want them to be able to switch to root.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 07:35 AM
тАО01-21-2011 07:35 AM
Re: Sudoers file
Cmnd_Alias SU=!/usr/bin/su ├в , !/usr/bin/su *root*
Add this to each user and they should not be able to su to root.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 08:01 AM
тАО01-21-2011 08:01 AM
Re: Sudoers file
See below my sudoers file, maybe I need to change anything.
This is the sudoers file:
# User_Alias
User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe,r032ahe
User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=(ALL) NOPASSWD: ALL
WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
What I want is that the users in WAS should not be ble to switch to root,
but they should be able to switch to user "wasdevadmin".
Only users in SUPPORT should be able to switch to root.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 08:14 AM
тАО01-21-2011 08:14 AM
Re: Sudoers file
> WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
The first line is saying to allow the WAS users to run any command on any host as any user. The second line is redundantly saying to allow WAS users to run the su commands specified on all hosts as root. You don't have anything restricting them from running su to root as a previous post stated to do.
Jeff Traigle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 08:15 AM
тАО01-21-2011 08:15 AM
Re: Sudoers file
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
You also have 2 lines for WAS. I don't remember which will take priority, but the 2 may be conflicting.
What happens if you comment out the first WAS line?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 09:18 AM
тАО01-21-2011 09:18 AM
Re: Sudoers file
I want a situation where they can switch to wasdevadmin without been prompted for a password.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 09:52 AM
тАО01-21-2011 09:52 AM
Re: Sudoers file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2011 01:06 PM
тАО01-21-2011 01:06 PM
Re: Sudoers file
You need this line in your sudoers file:
WAS ALL=(wasdevadmin) NOPASSWD: ALL
Then tell your users to use the sudo command like this:
sudo -H -u wasdevadmin -i
(to run a shell as wasdevadmin; equivalent to "sudo su - wasdevadmin")
...or like this:
sudo -H -u wasdevadmin
(to run
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2011 03:41 AM
тАО01-22-2011 03:41 AM
Re: Sudoers file
User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe
User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
WAS ALL=(wasdevadmin) NOPASSWD: ALL
But the users in WAS still cannot switch to wasdevadmin account. I want the users in WAS to be able to do this without prompting for password. Thanks.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2011 08:54 PM
тАО01-22-2011 08:54 PM
Re: Sudoers file
if you have to grant specfic access you can grant in sudoers file for required users. by defining user alis, command alias and host alias for those users
Regards,
INH