Unix/Linux Go Back    


Solaris The Solaris Operating System, usually known simply as Solaris, is a Unix-based operating system introduced by Sun Microsystems. The Solaris OS is now owned by Oracle.

Sudo help needed

Solaris


Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 12-07-2016
willyb willyb is offline
Registered User
 
Join Date: Dec 2016
Last Activity: 14 December 2016, 1:15 PM EST
Posts: 3
Thanks: 1
Thanked 2 Times in 2 Posts
Sudo help needed

Hello,
I have a wrapper script that I am trying to build/execute, which has two different sub scripts, which run as two separate users.
Purpose is to mask the contents of the script and allow the user to execute utlrp.sql, which requires sys level privs to execute.

User FORD logs in, and executes the wrapper script, wrapper.sh
The wrapper script presents it's content in menu format. Here is what the wrapper.sh
  1. execute one.sql
  2. execute two.sql and three.sql
  3. execute three.sql


A
one.sql
requires no specific credentials
B
two.sql
REQUIRES FORD credentials to execute.
has logid check at beginning and kicks you out if you aren't the FORD user.
three.sql
requires "ORACLE" credentials to log in and execute utilrp.sql -- which requires to log in as sys for execution.
C
three.sql
Same as above, but only runs the utlrp.sql script.


So I edited sudousers (VISUDO) to implement the neccessary privs. (shown in RED)


Code:
## Runas alias
Runas_Alias     DB = oracle
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
 
 
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
 
 
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
 
 
## Read drop-in files from /usr/local/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /usr/local/etc/sudoers.d
FORD ALL = (ALL) NOPASSWD: /export/home/oracle/wrapper.sh
FORD ALL = (DB) NOPASSWD: /oracle/12c/bin/sqlplus
(I have also tried the second entry NOT using runas_alias with exact same results)
 
If I execute a sudo -l from the command line, it shows:
$ sudo -l
User ford may run the following commands on falcon:
    (ALL) NOPASSWD: /export/home/oracle/wrapper.sh
    (oracle) NOPASSWD: /oracle/12c/bin/sqlplus

Here is where I'm stuck. From my understanding, for the user to execute this via the sudo functionality, the main wrapper command would be executed as such:
sudo wrapper.sh. It prompts me for the menu as desired. When I choose A, it doesn't see user FORD...and kicks me out.
When I choose B or C, it works fine. It executes the second one fine, and logs in as sys executing the utlrp.sql.

So my question is this: Is there a way to configure the sudo set up so that user FORD executes the wrapper, passes user FORD to menu item A, but only passes it's self as the ORACLE user to menu items B or C for the sake of sqlplus as sys?

Thanks.

Last edited by rbatte1; 12-09-2016 at 10:35 AM.. Reason: Converted to formatted letter number-list
The Following User Says Thank You to willyb For This Useful Post:
sathishkumar_va (1 Week Ago)
Sponsored Links
    #2  
Old Unix and Linux 12-07-2016
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 23 January 2017, 5:46 PM EST
Location: Saskatchewan
Posts: 21,785
Thanks: 1,027
Thanked 4,042 Times in 3,750 Posts
To keep the forums high quality for all users, please take the time to format your posts correctly.

First of all, use Code Tags when you post any code or data samples so others can easily read your code. You can easily do this by highlighting your code and then clicking on the # in the editing menu. (You can also type code tags [code] and [/code] by hand.)



Second, avoid adding color or different fonts and font size to your posts. Selective use of color to highlight a single word or phrase can be useful at times, but using color, in general, makes the forums harder to read, especially bright colors like red.

Third, be careful when you cut-and-paste, edit any odd characters and make sure all links are working property.

Thank You.

The UNIX and Linux Forums
The Following User Says Thank You to Corona688 For This Useful Post:
sathishkumar_va (1 Week Ago)
Sponsored Links
    #3  
Old Unix and Linux 12-07-2016
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 23 January 2017, 5:46 PM EST
Location: Saskatchewan
Posts: 21,785
Thanks: 1,027
Thanked 4,042 Times in 3,750 Posts
If you changed your wrapper program to call sudo, rather than vice versa, you could get different menu options calling different sudo users.
The Following 2 Users Say Thank You to Corona688 For This Useful Post:
sathishkumar_va (1 Week Ago), willyb (12-08-2016)
    #4  
Old Unix and Linux 12-07-2016
willyb willyb is offline
Registered User
 
Join Date: Dec 2016
Last Activity: 14 December 2016, 1:15 PM EST
Posts: 3
Thanks: 1
Thanked 2 Times in 2 Posts
Thank you for the response. Sorry for the color, I didn't realize it would be such a sensitive issue.

As for the recommendation, I don't know that it would fulfill the same security needs, as it would make the script it's self owned by the user, which means that the user could also see it, yes?

Also, by putting the sudo command inside the script, wouldn't that fork off another sub-shell to run the subsequent commands?

Last edited by willyb; 12-07-2016 at 06:41 PM..
The Following User Says Thank You to willyb For This Useful Post:
sathishkumar_va (1 Week Ago)
Sponsored Links
    #5  
Old Unix and Linux 12-08-2016
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 23 January 2017, 5:46 PM EST
Location: Saskatchewan
Posts: 21,785
Thanks: 1,027
Thanked 4,042 Times in 3,750 Posts
You can't really run code as a different user without putting it in a subshell.

Using sudo inside the script would probably mean splitting off a few more scripts from it so you can put them all in sudoers appropriately, which would mean the parts you wouldn't want seen wouldn't be. If someone sees the code for the menu, who cares, as long as it hasn't got the passwords?
Sponsored Links
    #6  
Old Unix and Linux 12-08-2016
willyb willyb is offline
Registered User
 
Join Date: Dec 2016
Last Activity: 14 December 2016, 1:15 PM EST
Posts: 3
Thanks: 1
Thanked 2 Times in 2 Posts
Correct. It doesn't matter, as I'm not using passwords.
For this level of DB login, as SYS, it's not the conventional login/pw sequence.

normal would be
Code:
sqlplus joe/blow@db <enter>

for this, I need to be able to execute AS ORACLE USER

Code:
sqlplus /nolog <enter>
connect /as sysdba <enter>

It will only allow the oracle os user to use this login process.

Oracle is complex in this way that the sys user can log into a layer under the database.
AND unfortunately, this specific oracle script/command REQUIRES to be logged into the database as SYS.


Having said that, I have made progress based upon your suggestions. LinuxLinux Thank you.
I am able to now execute the wrapper script and option 1 executes as FORD.
I'm not testing option 2, simply because it's a combo of 1 and 3.
So testing option 3, it's a partial success/fail.
I can tell that it is executing as oracle, because oracle user is the only one allowed to see or execute the script.
But the Oracle security doesn't like something, as the second part of the 2 step login is failing.
That part of the script is as follows.


Code:
case
   3)
sqlplus /nolog << EOF
connect /as sysdba
@$ORACLE_HOME/rdbms/admin/utlrp.sql;
        /
EOF
;;
esac

It's telling me invalid user/pass.
Then tries to execute the script, which of course is failing.

So chasing that now.

Also, for giggles, I tried the following at the command line (AS ORACLE)

Code:
sqlplus /nolog <<EOF
connect /as sysdba
show parameter name
EOF

And it worked flawlessly.

Ran the same thing as FORD, and it runs the first line, but then fails on the next.

Last edited by willyb; 12-08-2016 at 03:04 PM..
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Help needed in sudo access solaris_1977 UNIX for Advanced & Expert Users 2 10-10-2012 11:35 AM
ssh foo.com sudo command - Prompts for sudo password as visible text. Help? fluoborate Shell Programming and Scripting 9 11-02-2011 03:18 PM
Any way to know beforehand if SUDO is (going to be) needed? courteous Shell Programming and Scripting 1 12-12-2010 07:37 PM
Unable to use the Sudo command. "0509-130 Symbol resolution failed for sudo because:" Chloe123 UNIX for Dummies Questions & Answers 1 12-21-2009 05:09 PM
Sudo help needed blane UNIX for Advanced & Expert Users 3 10-24-2008 03:33 PM



All times are GMT -4. The time now is 08:57 PM.