01-27-2020
The privilege you have permits you to become the superuser, but not to directly run anything from your account but as the superuser.
If you can become the superuser, then I presume you are the system administrator (or part of the team) so you should know how to write yourself the appropriate sudo rule. Can you show us what you have tried?
- - CAUTION - -
If you break the
sudo rules, then it is possible to lock yourself out, i.e. if they are invalid then you may not be able to even
sudo su - like you can at the moment.
Make sure you have several superuser session already connected before you do this, and better to use the
visudo tool too. It protects you somewhat, but it's probably not infallible.
Take copies of any files before you changes them and make sure you have a way and privilege to put them back if you need to. Save the permissions, else
sudo may still refuse to run.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi
I have installed solaris 10 on an intel machine. Logged in as root. In CDE, i open terminal session, type login alex (normal user account) and password and i get this message
No utpmx entry: you must exec "login" from lowest level "shell" :confused:
What i want is: open various... (0 Replies)
Discussion started by: peterpan
0 Replies
2. Solaris
I'm running sendmail (8.13.8+Sun/8.13.8/Submit) solaris 10.
When I send mail to root at the command line (whether I use a full-qualified address or just root), I get the error message
root... User address required.
Sending mail to root (either at the command line or in a cron job),... (10 Replies)
Discussion started by: csgonan
10 Replies
3. Red Hat
Friends ,
i want to run my smtp service as a root .
let me know what r the changes i have to made to my machine .
AVklinux (1 Reply)
Discussion started by: avklinux
1 Replies
4. UNIX for Dummies Questions & Answers
hi,
I've read different posts regarding crontab but none helped out...the shell scrip that I want to run through crontab gets run through crontab when I use the following crontab statement:
13 17 * * * /usr/net/gcc/DBdrop.sh > /usr/net/gcc/DBdrop.log 2>&1
but it does not run when I scheduel... (2 Replies)
Discussion started by: linux0004
2 Replies
5. UNIX for Dummies Questions & Answers
HI All,
I am using solaris
i created a user adam and updated his permissions
in vi sudoers file as follows
adam ALL=(ALL) NOPASSWORD: ALL
...........
when i create user by logging as sudo user .
$ sudo useradd -d /home/kalyan -m -s /bin/sh kalyan
sudo: not found
... (6 Replies)
Discussion started by: kalyankalyan
6 Replies
6. Shell Programming and Scripting
Hi,
I have line in input file as below:
3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL
My expected output for line in the file must be :
"1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL"
Can someone... (7 Replies)
Discussion started by: shis100
7 Replies
7. Shell Programming and Scripting
copying daily changes from serverA to serverB using rsync(solaris8, v2.6.2) at root folder level.
serverA: cd /
rsync -a -vv --delete --checksum --sparse --stats --dry-run --exclude /tmp/ --exclude /proc/ --exclude /devices/ . root@<IP of ServerB>:/
This is generating mainly three debug... (0 Replies)
Discussion started by: kchinnam
0 Replies
8. AIX
Our AIX servers send e-mails which have the "from" address set to "root@company.com" for our root user ("C{M}company.com" in /etc/sendmail.cf). The problem is that when bad e-mails are sent out or rejected by remote servers, they are being returned and delivered to e-mail box of "Mary Root".
... (2 Replies)
Discussion started by: kah00na
2 Replies
9. UNIX for Dummies Questions & Answers
How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address
and column 3 contains “cc” e-mail address to include with same email.
Sample input file, email.txt
Below is an sample code where... (2 Replies)
Discussion started by: asjaiswal
2 Replies
10. Shell Programming and Scripting
Hi,
There are 2 users (T886072 & T864764) that need to be provided full (rwx) access to a directory. I made the changes to the directory permissions using chmod and setfacl :
root@digidb2:# chmod 700 /u02/ftpfiles/MFRS16/discount_rates/
root@digidb2:# setfacl -s... (3 Replies)
Discussion started by: anaigini45
3 Replies
LEARN ABOUT CENTOS
sssd-sudo
SSSD-SUDO(5) File Formats and Conventions SSSD-SUDO(5)
NAME
sssd-sudo - Configuring sudo with the SSSD back end
DESCRIPTION
This manual page describes how to configure sudo(8) to work with sssd(8) and how SSSD caches sudo rules.
CONFIGURING SUDO TO COOPERATE WITH SSSD
To enable SSSD as a source for sudo rules, add sss to the sudoers entry in nsswitch.conf(5).
For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users)
and then in SSSD, the nsswitch.conf file should contain the following line:
sudoers: files sss
More information about configuring the sudoers search order from the nsswitch.conf file as well as information about the LDAP schema that
is used to store sudo rules in the directory can be found in sudoers.ldap(5).
Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name
(which equals to IPA domain name when using hostgroups).
CONFIGURING SSSD TO FETCH SUDO RULES
All configuration that is needed on SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf(5). To speed up
the LDAP lookups, you can also set search base for sudo rules using ldap_sudo_search_base option.
The following example shows how to configure SSSD to download sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
When the SSSD is configured to use IPA as the ID provider, the sudo provider is automatically enabled. The sudo search base is configured
to use the compat tree (ou=sudoers,$DC).
THE SUDO RULE CACHING MECHANISM
The biggest challenge, when developing sudo support in SSSD, was to ensure that running sudo with SSSD as the data source provides the same
user experience and is as fast as sudo but keeps providing the most current set of rules as possible. To satisfy these requirements, SSSD
uses three kinds of updates. They are referred to as full refresh, smart refresh and rules refresh.
The smart refresh periodically downloads rules that are new or were modified after the last update. Its primary goal is to keep the
database growing by fetching only small increments that do not generate large amounts of network traffic.
The full refresh simply deletes all sudo rules stored in the cache and replaces them with all rules that are stored on the server. This is
used to keep the cache consistent by removing every rule which was deleted from the server. However, full refresh may produce a lot of
traffic and thus it should be run only occasionally depending on the size and stability of the sudo rules.
The rules refresh ensures that we do not grant the user more permission than defined. It is triggered each time the user runs sudo. Rules
refresh will find all rules that apply to this user, check their expiration time and redownload them if expired. In the case that any of
these rules are missing on the server, the SSSD will do an out of band full refresh because more rules (that apply to other users) may have
been deleted.
If enabled, SSSD will store only rules that can be applied to this machine. This means rules that contain one of the following values in
sudoHost attribute:
o keyword ALL
o wildcard
o netgroup (in the form "+netgroup")
o hostname or fully qualified domain name of this machine
o one of the IP addresses of this machine
o one of the IP addresses of the network (in the form "address/mask")
There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in
sssd.conf(5).
SEE ALSO
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8),
sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8),pam_sss(8).
AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd
SSSD
06/17/2014 SSSD-SUDO(5)