How to provide root access via sudo with restrictions?
Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.
following is my configuration at sudoers file,
Code:
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2 ALL=(ALL)NOPASSWD: ALL, !MYLIMIT
%wheel ALL = NOPASSWD:ALL, !MYLIMIT
its not working, following is next attempt
Code:
test2 ALL=(ALL)NOPASSWD: !/usr/bin/passwd, !/usr/sbin/visudo ALL
#OR#
test2 ALL=(ALL)NOPASSWD: ALL, !/usr/bin/passwd, !/usr/sbin/visudo
nothing worked, after all attempts following is result
Code:
[test2@rhel6-server ~]$ sudo su
Last login: Sat Mar 10 17:15:07 IST 2018 on pts/12
[root@rhel6-server test2]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
Please help
Moderator's Comments:
Please use CODE (not ICODE) tags as required by forum rules!
Last edited by RudiC; 03-10-2018 at 08:47 AM..
Reason: Changed CODE tags.
Hi,
I need to provide execute access to certain users and not to all users
For ex: if ther is a file /home/august/aug.sh.
and there are user's like jan,feb,mar,april,May and jan is the owner of that box. I need to provide execute access to feb and mar only. I also know the root pwd for... (3 Replies)
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the... (1 Reply)
I'm actually working with a Ubuntu-System here and have a question about executing a command with 'sudo'.
I tried and got a error message like "not allowed".
After this I logged in with 'sudo -s' and typed the command without 'sudo'. This worked well.
Can please somebody explain me this... (0 Replies)
I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:
1) Remote root access is turned off in the sshd_config file.
2) I am the only user of this admin... (6 Replies)
I have a set of RHEL 5 boxes running our ERP software on Oracle databases. I need to allow my DBA's to su to oracle and one other account (banner) without knowing the oracle or banner password. But I need to prevent them from su'ing to any other user especially root. I only want them to be able to... (1 Reply)
Hello,
It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only.
This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file.
Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies
LEARN ABOUT CENTOS
consolehelper
CONSOLEHELPER(8) System Manager's Manual CONSOLEHELPER(8)NAME
consolehelper - A wrapper that helps console users run system programs
SYNOPSIS
progname [ options ]
DESCRIPTION
consolehelper is a tool that makes it easy for console users to run system programs, doing authentication via PAM (which can be set up to
trust all console users or to ask for a password at the system administrator's discretion). When possible, the authentication is done
graphically; otherwise, it is done within the text console from which consolehelper was started.
It is intended to be completely transparent. This means that the user will never run the consolehelper program directly. Instead, pro-
grams like /sbin/shutdown are paired with a link from /usr/bin/shutdown to /usr/bin/consolehelper. Then when non-root users (specifically,
users without /sbin in their path, or /sbin after /usr/bin) call the "shutdown" program, consolehelper will be invoked to authenticate the
action and then invoke /sbin/shutdown. (consolehelper itself has no priviledges; it calls the userhelper(8) program do the real work.)
consolehelper requires that a PAM configuration for every managed program exist. So to make /sbin/foo or /usr/sbin/foo managed, you need
to create a link from /usr/bin/foo to /usr/bin/consolehelper and create the file /etc/pam.d/foo, normally using the pam_console(8) PAM mod-
ule.
OPTIONS
This program has no command line options of its own; it passes all command line options on to the program it is calling.
SEE ALSO userhelper(8)AUTHOR
Michael K. Johnson <johnsonm@redhat.com>
Red Hat Software 18 March 1999 CONSOLEHELPER(8)
03-10-2018
