Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Help with sudoers file - AIX
Special Forums Cybersecurity Help with sudoers file - AIX Post 302594891 by victorbrca on Wednesday 1st of February 2012 11:57:34 AM
Old 02-01-2012
Help with sudoers file - AIX
Hi all,

I'm trying to setup my sudoer file at work to have the right security, but I'm not able to refine to the level I want.

Here's what I would like to have:

=> OS Users
- John (group staff)
- Bob (group staff)
- app20adm (group app20grp)
- app70adm (group app70grp)
- sys20adm (group app20grp)
- sys70adm (group app70grp)

=> OS Groups
- staff
- app20grp
- app70grp

I would like to have John run all sudo commands as sys20adm and sys70adm, including 'sudo -i'. Files should have permission of sys20adm:app20grp or sys70adm:app70grp

I also would like to have Bob run all sudo commands as app20adm and app70adm, except 'sudo -i'.

I haven't been able to get not even the first part (run command as). Can anyone help? Here's what I have configured so far:

Code:
User_Alias SYSADMIN20 = john
User_Alias SYSADMIN70 = john
User_Alias APPADMIN20 = bob
User_Alias APPADMIN70 = bob

Runas_Alias     SYS20ADM = sys20adm
Runas_Alias     SYS70ADM = sys70adm
Runas_Alias     APP20ADM = app20adm
Runas_Alias     APP70ADM = app70adm

SYSADMIN20      ALL = (SYS20ADM) ALL
SYSADMIN70      ALL = (SYS70ADM) ALL
APPADMIN20      ALL = (APP20ADM) ALL , !/usr/bin/sudo -i app20adm
APPADMIN70      ALL = (APP70ADM) ALL , !/usr/bin/sudo -i app70adm

Any ideas? I also tried the defaults below, be the later overwrites the first.

Code:
Defaults:SYSADMIN20    runas_default=sys20adm
Defaults:SYSADMIN70    runas_default=sys70adm

Thanks,
Vic.
 

10 More Discussions You Might Find Interesting

1. Linux

sudoers file

Hi, I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password. Can someone tell me what's wrong with my file? It's not working when I 'sudo SHUTDOWN' command: sudo: SHUTDOWN: command not found Thanks a lot! # Host alias specification... (4 Replies)
Discussion started by: whatisthis
4 Replies

2. UNIX for Dummies Questions & Answers

sudoers file questions

What is the difference between ALL and localhost in the bellow? # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now Thank you. (2 Replies)
Discussion started by: hemangjani
2 Replies

3. UNIX for Advanced & Expert Users

sudoers file

i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password. my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp. Thank you. ... (2 Replies)
Discussion started by: noam128
2 Replies

4. AIX

Sudoers Installation in AIX

1. Download the rpm file needed to install the sudoers package in AIX AIX open sources rpms Search for the file sudo-1.6.7p5-3.aix5.1.ppc.rpm and download it 2. Copy the downloaded file to the AIX servers /tmp/SUDO directory 3. change the permission to chmod 777 <Filename> 4.smitty install->... (4 Replies)
Discussion started by: Sounddappan
4 Replies

5. Shell Programming and Scripting

Issue with sudoers file.

Hi All, I am new to sudoers file. I am asked to troubleshoot why a particular user (alandhi) is not able to run a script as a different user(scmtg). I have the following line in my sudoers file and the user's name added to the group. User_Alias QA_USERS = alandhi, testuser1, qauser3 ... (3 Replies)
Discussion started by: Tuxidow
3 Replies

6. Shell Programming and Scripting

Scripting help with Sudoers file

Hello, Recently our team noticed access to groups had not been revoked per sudo file. We currently have around 160 AIX LPARS. I am hoping someone can help me write a script that would copy all sudoers file at each machine and dump into 1 large file for me to review. I have public... (1 Reply)
Discussion started by: audis$
1 Replies

7. UNIX for Dummies Questions & Answers

Pls. help with sudoers file...

Hi, I was asked to create sudoers file for operation team so they can sudo as another user and run few commands. I have updated /etc/sudoers file. User_Alias LEVEL1 = JamesF, dennisW, juanC, steveS, Cmnd_Alias SU_PROD=/bin/su prod, /bin/su - prod Cmnd_Alias SU_NYOP=/bin/su... (2 Replies)
Discussion started by: samnyc
2 Replies

8. Emergency UNIX and Linux Support

Getting details from sudoers file

Hi, I need the details of which ids belong to the sudoers file, and which groups these ids belong to. Can anyone suggest a way to derive that information into a flat file please? G (4 Replies)
Discussion started by: ggayathri
4 Replies

9. UNIX for Dummies Questions & Answers

Help with Sudoers file

Hi using Solaris 10. trying to update /etc/sudoers file I need to add all the fist level operation team. This is what I have but it doesn't seem to work. Please help.Error message sudo su - >>> sudoers file: parse error, line 9 <<< >>> sudoers file: parse error, line 9 <<< ... (2 Replies)
Discussion started by: samnyc
2 Replies

10. Solaris

Sudoers file

In the sudoers file in Solaris... I am trying to limit the DEVELOPER user privileges to where those users can only use the “rm” command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)
Discussion started by: nzonefx
1 Replies

LEARN ABOUT LINUX

pam_selinux

PAM_SELINUX(8)							 Linux-PAM Manual						    PAM_SELINUX(8)

NAME

       pam_selinux - PAM module to set the default security context

SYNOPSIS

       pam_selinux.so [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range]

DESCRIPTION

       In a nutshell, pam_selinux sets up the default security context for the next execed shell.

       When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the
       user chooses and the pam file allows the selected security context. Also the controlling tty will have it's security context modified to
       match the users.

       Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and
       open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only
       cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass
       through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux
       close_session will happen first.

OPTIONS

       close
	   Only execute the close_session portion of the module.

       debug
	   Turns on debugging via syslog(3).

       open
	   Only execute the open_session portion of the module.

       nottys
	   Do not try to setup the ttys security context.

       verbose
	   attempt to inform the user when security context is set.

       select_context
	   Attempt to ask the user for a custom security context role. If MLS is on ask also for sensitivity level.

       env_params
	   Attempt to obtain a custom security context role from PAM environment. If MLS is on obtain also sensitivity level. This option and the
	   select_context option are mutually exclusive. The respective PAM environment variables are SELINUX_ROLE_REQUESTED,
	   SELINUX_LEVEL_REQUESTED, and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and the last one if set to 1 makes
	   the PAM module behave as if the use_current_range was specified on the command line of the module.

       use_current_range
	   Use the sensitivity level of the current process for the user context instead of the default level. Also suppresses asking of the
	   sensitivity level from the user or obtaining it from PAM environment.

MODULE TYPES PROVIDED

       Only the session module type is provided.

RETURN VALUES

       PAM_AUTH_ERR
	   Unable to get or set a valid context.

       PAM_SUCCESS
	   The security context was set successfully.

       PAM_USER_UNKNOWN
	   The user is not known to the system.

EXAMPLES

	   auth     required  pam_unix.so
	   session  required  pam_permit.so
	   session  optional  pam_selinux.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

AUTHOR

       pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.

Linux-PAM Manual						    08/31/2010							    PAM_SELINUX(8)
All times are GMT -4. The time now is 04:37 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy