I'm trying to setup my sudoer file at work to have the right security, but I'm not able to refine to the level I want.
Here's what I would like to have:
=> OS Users
- John (group staff)
- Bob (group staff)
- app20adm (group app20grp)
- app70adm (group app70grp)
- sys20adm (group app20grp)
- sys70adm (group app70grp)
=> OS Groups
- staff
- app20grp
- app70grp
I would like to have John run all sudo commands as sys20adm and sys70adm, including 'sudo -i'. Files should have permission of sys20adm:app20grp or sys70adm:app70grp
I also would like to have Bob run all sudo commands as app20adm and app70adm, except 'sudo -i'.
I haven't been able to get not even the first part (run command as). Can anyone help? Here's what I have configured so far:
Any ideas? I also tried the defaults below, be the later overwrites the first.
Hi,
I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password.
Can someone tell me what's wrong with my file?
It's not working when I 'sudo SHUTDOWN' command:
sudo: SHUTDOWN: command not found
Thanks a lot!
# Host alias specification... (4 Replies)
What is the difference between ALL and localhost in the bellow?
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Thank you. (2 Replies)
i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password.
my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp.
Thank you.
... (2 Replies)
1. Download the rpm file needed to install the sudoers package in AIX
AIX open sources rpms
Search for the file sudo-1.6.7p5-3.aix5.1.ppc.rpm and download it
2. Copy the downloaded file to the AIX servers /tmp/SUDO directory
3. change the permission to chmod 777 <Filename>
4.smitty install->... (4 Replies)
Hi All,
I am new to sudoers file. I am asked to troubleshoot why a particular user (alandhi) is not able to run a script as a different user(scmtg). I have the following line in my sudoers file and the user's name added to the group.
User_Alias QA_USERS = alandhi, testuser1, qauser3
... (3 Replies)
Hello,
Recently our team noticed access to groups had not been revoked per sudo file.
We currently have around 160 AIX LPARS.
I am hoping someone can help me write a script that would copy all sudoers file at each machine and dump into 1 large file for me to review.
I have public... (1 Reply)
Hi,
I was asked to create sudoers file for operation team so they can sudo as another user and run few commands.
I have updated /etc/sudoers file.
User_Alias LEVEL1 = JamesF, dennisW, juanC, steveS,
Cmnd_Alias SU_PROD=/bin/su prod, /bin/su - prod
Cmnd_Alias SU_NYOP=/bin/su... (2 Replies)
Hi,
I need the details of which ids belong to the sudoers file, and which groups these ids belong to.
Can anyone suggest a way to derive that information into a flat file please?
G (4 Replies)
Hi
using Solaris 10. trying to update /etc/sudoers file
I need to add all the fist level operation team. This is what I have but it doesn't seem to work. Please help.Error message
sudo su -
>>> sudoers file: parse error, line 9 <<<
>>> sudoers file: parse error, line 9 <<<
... (2 Replies)
In the sudoers file in Solaris...
I am trying to limit the DEVELOPER user privileges to where those users can only use the “rm” command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)
Discussion started by: nzonefx
1 Replies
LEARN ABOUT OSF1
secsetup
secconfig(8) System Manager's Manual secconfig(8)NAME
secconfig, secsetup - Security features setup graphical interface (Enhanced Security)
SYNOPSIS
/usr/sbin/sysman secconfig
NOTE: The secsetup utility has been replaced by the secconfig graphical interface.
DESCRIPTION
The utility is a graphical interface used to select the level of system security needed. It can convert from Base to enhanced security
mode, and configure base and enhanced security features. If you are using secconfig to enable Enhanced security, you must first have
loaded the enhanced security subsets.
You can run while the system is in multiuser mode. However, if you change the security level, the change is not completed until you reboot
the system.
For both base and enhanced security, the secconfig utility allows you to enable segment sharing, to enable access control lists (ACLs), and
to restrict the setting of the execute bit to root only.
For enhanced security, the secconfig utility additionally allows you to configure security support from simple shadow passwords all the way
to a strict C2 level of security. Shadow password support is an easy method for system administrators, who do not wish to use all of the
extended security features, to move each user's password out of /etc/passwd and into the extended user profile database (auth.db. You can
use the Custom mode if you wish to select additional security features, such as breakin detection and evasion, automatic database trimming,
and password controls.
When converting from base to enhanced security, secconfig updates the system default database (/etc/auth/system/default) and uses the con-
vuser utility to migrate user accounts.
While it is possible to convert user accounts from enhanced back to base, the default encryption algorithms and supported password lengths
differ between base and enhanced security, and thus user account conversions do not succeed without a password change.
NOTE: Because of the page table sharing mechanism used for shared libraries, the normal file system permissions are not adequate to protect
against unauthorized reading. The secconfig interface allows you to disable segment sharing. The change in segment sharing takes effect
at the next reboot.
FILES RELATED INFORMATION acl(4), authcap(4), default(4), convuser(8),
Security delim off
secconfig(8)