|
|
Sponsored Content
Operating Systems
AIX
Sudo issue
Post 302916625 by rbatte1 on Thursday 11th of September 2014 06:23:12 AM
09-11-2014
Moderator
It does seem rather permissive at first glance. Maybe I'm just paranoid, but you have Fourteen accounts that can do whatever they like and a further three with restricted access, however all of them could edit replace the sudoers file and therefore do whatever they like too. If they can chmod, they can make it world writeable, edit it and then set the permissions back. With mv and cp, they can simply overwrite the sudoers file, or any file, such as /etc/passwd or /etc/security/passwd even.
Entries in this file should be very carefully considered and grant just the bare minimum required to do the job. if there are partial commands that you want to allow, e.g. cp in some directories but not in others, then you would be better to script up what they are allowed and grant them sudo privileges to run your script. Make sure that your script is secure from tampering too!
Developers just love having access to everything because it makes things easy, but security is like birth control - it gets in the way, but if your are caught out it can be very expensive to manage the impact.
That said, I don't immediately see anything syntactically wrong. You don't have a user guy defined though, so I will do some testing with others.
I don't suppose you were logged in or sued to an account not listed were you?
Robin
Entries in this file should be very carefully considered and grant just the bare minimum required to do the job. if there are partial commands that you want to allow, e.g. cp in some directories but not in others, then you would be better to script up what they are allowed and grant them sudo privileges to run your script. Make sure that your script is secure from tampering too!
Developers just love having access to everything because it makes things easy, but security is like birth control - it gets in the way, but if your are caught out it can be very expensive to manage the impact.
That said, I don't immediately see anything syntactically wrong. You don't have a user guy defined though, so I will do some testing with others.
I don't suppose you were logged in or sued to an account not listed were you?
Robin
Last edited by rbatte1; 09-11-2014 at 07:24 AM.. Reason: Final question
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
folks;
How can i give a group a sudo permission to execute only some command "like start/stop Apache", so every user in that group can sudo to use this as himself, i mean when he tries to sudo, he will be asked for a password (and make it so he must use his own NT password not a generic one) then... (6 Replies)
Discussion started by: Katkota
6 Replies
2. UNIX for Dummies Questions & Answers
Hi! I'm very new to unix, so please keep that in mind with the level of language used if you choose to help :D Thanks!
When attempting to use sudo on and AIX machine with oslevel 5.1.0.0, I get the following error:
exec(): 0509-036 Cannot load program sudo because of the following errors:... (1 Reply)
Discussion started by: Chloe123
1 Replies
3. Shell Programming and Scripting
Hi Gurus,
I have small issue...
I used to pass the passwd for sudo commands like below,
gzcat ~/passwd.gz | sudo su - <villin> >> eof
------
-----
------
eof
And it was able to login into "villin" sudo account successfully. But now, I'm using the same in another script for the... (2 Replies)
Discussion started by: raghu.iv85
2 Replies
4. UNIX for Dummies Questions & Answers
I logged in through ssh, but can't re-login as root.
sudo login
Arch login: root
Password:
Login incorrect
Arch login:
But I am sure my password is right. Why?
But on local tty1, this works. (2 Replies)
Discussion started by: vistastar
2 Replies
5. Shell Programming and Scripting
I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this:
#!/bin/bash
rsync /path/on/local/machine/ foo.com:path/on/remote/machine/
ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies
6. AIX
Hi admins,
I have installed sudo in aix 5.3 and configured sudoers file.Every command is working fine with sudo except cd .
If i give sudo cd /etc/security it returns nothing.There is no pwd change and no any error messages.
sudo -l command returns all executables including cd.
sudo ls... (8 Replies)
Discussion started by: newaix
8 Replies
7. Shell Programming and Scripting
Hi All,
I running a unix command using sudo option inside shell script. Its working well. But in crontab the same command is not working and its throwing
"sudo: sorry, you must have a tty to run sudo". I do not have root permission to add or change settings for my userid. I can not even ask... (9 Replies)
Discussion started by: Apple1221
9 Replies
8. Shell Programming and Scripting
Hi, Have a need to run the below command as a "karuser" from a java class which will is running as "root" user. When we are trying to run the below command from java code getting the below error.
Command:
sudo -u karuser -s /bin/bash /bank/karunix/bin/build_cycles.sh
Error:
sudo: sorry,... (8 Replies)
Discussion started by: Satyak
8 Replies
9. Linux
Dear All,
I wanted to execute sqlplus using another user instead of oracle user.
I have given user AA sudo permissions in such a way that it can execute all oracle related files.
when i try the below command from user AA ,it is not working.
sudo -u oracle sh -c sqlplus
Error 6... (1 Reply)
Discussion started by: jegaraman
1 Replies
10. Red Hat
Hi,
I have given access to user mwadmin in shudders file as :
mwadmin ALL:NOPASSWD:/www/* /usr/* /opt/*
However, not able to execute below command:
sudo mkdir -p /usr/test
password for mwadmin:
Sorry, user mwadmin is not allowed to execute '/bin/mkdir -p /usr/test' as root.
... (4 Replies)
Discussion started by: saurau
4 Replies
LEARN ABOUT OSX
lppasswd
lppasswd(1) Apple Inc. lppasswd(1) NAME
lppasswd - add, change, or delete digest passwords. SYNOPSIS
lppasswd [ username ] lppasswd -a [ -g groupname ] username lppasswd -x username DESCRIPTION
lppasswd adds, changes, or deletes passwords in the CUPS digest password file, passwd.md5. When run by a normal user, lppasswd will prompt for the old and new passwords. When run by the super-user, lppasswd can add new accounts (-a username), change existing accounts (user- name), or delete accounts (-x username) in the digest password file. Digest usernames do not have to match local UNIX usernames. OPTIONS
lppasswd supports the following options: -g groupname Specifies a group other than the default system group. SECURITY ISSUES
By default, the lppasswd program is not installed to allow ordinary users to change their passwords. To enable this, the lppasswd command must be made setuid to root with the command: chmod u+s lppasswd While every attempt has been made to make lppasswd secure against exploits that could grant super-user privileges to unprivileged users, paranoid system administrators may wish to use Basic authentication with accounts managed by PAM instead. SEE ALSO
lp(1), lpr(1), http://localhost:631/help COPYRIGHT
Copyright 2007-2013 by Apple Inc. 22 February 2008 CUPS lppasswd(1)