Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Sudo to user other than root but do not allow sudo to root
Operating Systems Linux Red Hat Sudo to user other than root but do not allow sudo to root Post 302933964 by westmoreland on Tuesday 3rd of February 2015 11:47:47 AM
Old 02-03-2015
Sudo to user other than root but do not allow sudo to root
I have a set of RHEL 5 boxes running our ERP software on Oracle databases. I need to allow my DBA's to su to oracle and one other account (banner) without knowing the oracle or banner password. But I need to prevent them from su'ing to any other user especially root. I only want them to be able to switch to the oracle user or the banner user. I've recreate the accounts on a test system to try and work through my confusion and better understand how to use sudo before implementing it on my production systems.

Typically the user changes to these accounts like this:

Code:
>sudo su - oralce

They are then prompted to enter their own password and it lets them in. The problem is that they can use the command to become root, or any other user, as well.

I have a group on my system (enterpriseapps) which contains the users I want to grant access to. I edited my /etc/sudoers file. Here's how it looks:


Quote:
User_Alias DBA = %enterpriseapps
Runas_Alias ORACLE = oracle, banner
#Cmnd_Alias SU = !/bin/su -, !/bin/su *root*, !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner
Cmnd_Alias SU = /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner

%sysadmin ALL=(ALL) ALL
DBA ALL=(ORACLE) NOPASSWD: SU
So, if I understand it correctly, users in the DBA User_Alias should be able to run from any system (ALL) as users in the ORACLE Runas_Alias with NOPASSWD and they should only be able to run the commands in the SU Cmnd_Alias. Of course, I have my sysadmin group setup so that they can become root.

So I configured my Cmnd_Alias two different ways but they both give me same result:


Quote:
[jonesc@rhcsa03r5v ~]$ sudo su - oracle
[sudo] password for jonesc:
Sorry, user jonesc is not allowed to execute '/bin/su - oracle' as root on rhcsa03r5v.lamar.edu.
I've been researching this for days now and still having issues. Anybody got any ideas about what I'm missing here? I'm sure I have misconfigured, just can't see the error.
Last edited by jim mcnamara; 02-03-2015 at 02:54 PM..
 

10 More Discussions You Might Find Interesting

1. Linux

sudo, root password

Hi all.. I'm secering a RH 2.1 server, with gnome (not my choice...), as X manager. Is ther anyway to get sudo ask for root password other then the actual user's password? Like when you launch the graphical IHM to create a new user, it asks for root's password? Is there a way to do the same... (5 Replies)
Discussion started by: penguin-friend
5 Replies

2. UNIX for Dummies Questions & Answers

Possible to give non root user sudo to "crontab -l"

Does anyone know if this is possible? I want to give some users access to root's crontab but only with a read privilege. Is this possible to do or can only root or people with full root sudo view root's cron? (4 Replies)
Discussion started by: LordJezoX
4 Replies

3. AIX

sudo must be setuid root.

Guy's I'm trying to add some lines in sudo by useing this command visudo # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL #... (5 Replies)
Discussion started by: ITHelper
5 Replies

4. Shell Programming and Scripting

Cron job initiating ssh AND sudo (from user, not root)

I've been bashing my head on the desk for 2 days trying to get this to work, but I've had no luck. I'll try to be as clear as possible in my explanation without dragging out the details. I'm trying to set up a cron job for user "john" which runs a script. This script initiates an ssh connection to... (5 Replies)
Discussion started by: eh3civic
5 Replies

5. UNIX for Dummies Questions & Answers

sudo/root access

I'm actually working with a Ubuntu-System here and have a question about executing a command with 'sudo'. I tried and got a error message like "not allowed". After this I logged in with 'sudo -s' and typed the command without 'sudo'. This worked well. Can please somebody explain me this... (0 Replies)
Discussion started by: daWonderer
0 Replies

6. UNIX for Dummies Questions & Answers

Sudo to delegate permission from non-root user to another non-root user

I've been through many threads before i decide to create a separate thread. I can't really find the solution to my (simple) problem. Here's what I'm trying to achieve: As "canar" user I want to run a command, let's say "/opt/ocaml/bin/ocaml" as "duck" user. The only to achieve this is to... (1 Reply)
Discussion started by: canar
1 Replies

7. UNIX for Dummies Questions & Answers

sudo on becoming root

Anyone able to explain why if i run "sudo -i" or "sudo -s" i am able to get into root by just keying my own password? How to avoid this from happening coz i need all the users to use su - only. (2 Replies)
Discussion started by: timmywong
2 Replies

8. UNIX for Dummies Questions & Answers

Create user with sudo ability to root.

Hi All, I need to give an user sudo ability to root. We have also generated RSA key but unable to proceed further. For example after a user logs into the server normally and when he executes below command $ssh root@server_name This should take you to root prompt # Please help me.... (3 Replies)
Discussion started by: Rockyc3400
3 Replies

9. Solaris

Sudo access of rm to non-root user

Hello, It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only. This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file. Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies

10. UNIX for Beginners Questions & Answers

Sudo to root, but keep my own aliases?

I have a coworker that has set up some funky aliases in /etc/bash.alias, and he insists on leaving them that way. For example he aliased "ll" to "ls -lahtr", which really bugs me. Anyway, I was wondering if there were a way for me to sudo to root without reading /etc/bash.alias, or maybe have... (6 Replies)
Discussion started by: paqman
6 Replies

LEARN ABOUT CENTOS

gzexe

GZEXE(1)						      General Commands Manual							  GZEXE(1)

NAME

       gzexe - compress executable files in place

SYNOPSIS

       gzexe name ...

DESCRIPTION

       The  gzexe  utility  allows you to compress executables in place and have them automatically uncompress and execute when you run them (at a
       penalty in performance).  For example if you execute ``gzexe /usr/bin/gdb'' it will create the following two files:
	   -rwxr-xr-x  1 root root 1026675 Jun	7 13:53 /usr/bin/gdb
	   -rwxr-xr-x  1 root root 2304524 May 30 13:02 /usr/bin/gdb~
       /usr/bin/gdb~ is the original file and /usr/bin/gdb is the self-uncompressing executable file.  You can remove /usr/bin/gdb~ once  you  are
       sure that /usr/bin/gdb works properly.

       This utility is most useful on systems with very small disks.

OPTIONS

       -d     Decompress the given executables instead of compressing them.

SEE ALSO

       gzip(1), znew(1), zmore(1), zcmp(1), zforce(1)

CAVEATS

       The  compressed executable is a shell script.  This may create some security holes.  In particular, the compressed executable relies on the
       PATH environment variable to find gzip and some standard utilities (basename, chmod, ln, mkdir, mktemp, rm, sleep, and tail).

BUGS

       gzexe attempts to retain the original file attributes on the compressed executable, but you may have to fix them manually  in  some  cases,
       using chmod or chown.

																	  GZEXE(1)
All times are GMT -4. The time now is 05:50 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy