sudo - User privilege specification


 
Thread Tools Search this Thread
Operating Systems AIX sudo - User privilege specification
# 1  
Old 12-29-2011
sudo - User privilege specification

I am planning to implement sudo for users.

Under [# User privilege specification], it looks I have to put the users who need to have sudo access:

What are the recommended [# User privilege specification] for users? I don't think I need to give the ALL privilege (i.e [root ALL=(ALL) ALL]) to AIX users.

I'd like to know the commonly used privilege specification for sudo users.

Please advise.
# 2  
Old 12-30-2011
Well I would suggest that you create Cmnd_Alias in /etc/sudoers depending on the users' roles. Then, create groups depending on the roles and add the users in those groups. Provide the group to use the Cmnd_Alias. This way, it will save you a lot of time when you have new user with the same role and when you need to add new commands for the particular role.

If you let me know the role for the users, I might be able to show you an example of how to set sudo privileges for them.
# 3  
Old 01-03-2012
I do NOT want them

- modify any AIX parameters
- add/remove/change/modify anything under SMIT except SMIT Print and SMIT Printer
- execute any of rm / rmdev (remove files/devices) commands
- execute shutdown commands

Please advise if these are possible.
# 4  
Old 01-04-2012
I guess that granularity will be not possible with sudo. sudo will be used for a positive list, what they may do, not what they may not do. You might want to have a look into RBAC (Role Based Access Control). You can create a role with just the permissions your users need and assign that to them. There are some IBM Redbooks and IBM System Magazine articles about security handling RBAC.

Last edited by zaxxon; 01-04-2012 at 05:23 AM.. Reason: typo
# 5  
Old 01-04-2012
Well I can give you an example how I setup command alias in /etc/sudoers file for our ID Administration team. This is what it looks like:

Code:
Cmnd_Alias      IDADMIN=/usr/bin/mkuser, /usr/bin/chuser, /usr/sbin/rmuser, \
                /usr/bin/passwd [0-9]*, /usr/bin/passwd [A-z]* ,\
                !/usr/bin/passwd root, \
                /usr/bin/chsec, /usr/bin/mkgroup, /usr/sbin/rmgroup, \
                /home/comadm/passwd_lastupdate.pl, \
                /usr/bin/ls, /usr/bin/chmod, /usr/bin/chown, /usr/bin/chgrp, \
                /usr/bin/find, /usr/sbin/lsuser, /usr/bin/vi /etc/ftpusers, \
                /usr/local/bin/generate_user_file_list, \
                /usr/local/bin/remove_user_files, /usr/bin/cat, \
                /usr/bin/rm -f /var/spool/mail/*, \
                ! /usr/bin/rm -f /var/spool/mail/root, \
                /usr/bin/rm -f /var/spool/cron/crontabs/*, \
                ! /usr/bin/rm -f /var/spool/cron/crontabs/root, \
                /usr/bin/rm -f /var/spool/cron/atjobs/*, \
                /usr/bin/rm -rf /home/*, /usr/bin/pwdadm, /usr/bin/smitty user

With command alias you can not only create positive set of list but also you can specify what they cannot do using sudo (as opposed to what zaxxon said, note the exclamatory sign in front of commands which are being restricted).

Hope you get an idea on how to set up /etc/sudoers
This User Gave Thanks to admin_xor For This Post:
# 6  
Old 01-04-2012
Never used it that way, learned something, thanks. Though using RBAC might be more apropriate still according to what he listed.

Last edited by zaxxon; 01-04-2012 at 08:39 AM..
# 7  
Old 01-04-2012
PHP Code:
# Cmnd alias specification

Cmnd_Alias      IDADMIN=/usr/bin/mkuser, /usr/bin/chuser, /usr/sbin/rmuser, \
                /
usr/bin/passwd [0-9]*, /usr/bin/passwd [A-z]* ,\
                !/
usr/bin/passwd root, \
                /
usr/bin/chsec, /usr/bin/mkgroup, /usr/sbin/rmgroup, \
                /
home/comadm/passwd_lastupdate.pl, \
                /
usr/bin/ls, /usr/bin/chmod, /usr/bin/chown, /usr/bin/chgrp, \
                /
usr/bin/find, /usr/sbin/lsuser, /usr/bin/vi /etc/ftpusers, \
                /
usr/local/bin/generate_user_file_list, \
                /
usr/local/bin/remove_user_files, /usr/bin/cat, \
                /
usr/bin/rm -/var/spool/mail/*, \
                ! /usr/bin/rm -f /var/spool/mail/root, \
                /usr/bin/rm -f /var/spool/cron/crontabs/*, \
                ! /usr/bin/rm -f /var/spool/cron/crontabs/root, \
                /usr/bin/rm -f /var/spool/cron/atjobs/*, \
                /usr/bin/rm -rf /home/*, /usr/bin/pwdadm, /usr/bin/smitty user

# Defaults specification
Defaults passprompt="Enter password of %u: "
Defaults               syslog=local2

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL 
On /etc/sudoers, I added it as above.

How do you put the restrictions to AIX users with 'Cmnd_Alias'?

Do I need to put a user, i.e. JDoe, under here?

PHP Code:
# User privilege specification
root    ALL=(ALLALL 
Sorry for the novice question....

Thanks so much
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

Assigning proc_owner privilege to particular user in RBAC

Hi I need to assign proc_owner privilege to particular user through RBAC. How can I assign this privilege to user, I need help on this. Further I need to understand if I give this proc_owner privilege to particular user, what kind of control user will get on other user or system processes... (7 Replies)
Discussion started by: sb200
7 Replies

2. Shell Programming and Scripting

Create user with different privilege

Hi , I want to create 3 different user with below privilege in Solaris and Linux. 1) Read Only 2)Read and Write Only 3) Admin user Can you guys help me on this . (3 Replies)
Discussion started by: Naveen Pathak
3 Replies

3. Cybersecurity

sudo - AIX - User privilege specification

I am planning to implement sudo for users. Under , it looks I have to put the users who need to have sudo access: What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users. I'd like to know the commonly used privilege specification for sudo... (1 Reply)
Discussion started by: Daniel Gate
1 Replies

4. Red Hat

Save sudo privilege for session

I have setup public key based login to my CentOS VPS. I wish to disable direct root login and have created an admin user under wheel group and have modified /etc/sudoers file and gave Wheel group all privileges. But now I am being prompted for password whenever I type sudo. I do not wish to... (4 Replies)
Discussion started by: JoyceBabu
4 Replies

5. AIX

User Privilege

How to assign superuser privilege to an ordinary user temporarily (1 Reply)
Discussion started by: udtyuvaraj
1 Replies

6. UNIX for Dummies Questions & Answers

How to create/restrict a user with to have no privilege from other group

Hello experts I am new to Unix. Env : HPUX I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits . How do I do that. Reason for such a request :- I have an existing user oracle which has default umask... (3 Replies)
Discussion started by: simonsimon
3 Replies

7. Solaris

Root privilege for user

Can anyone please tell how to give root privilege to a normal user in solaris 10? (5 Replies)
Discussion started by: nicktrix
5 Replies

8. AIX

[Help] Give privilege to an ordinary user

I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root. /usr/IBMIHS/bin# ./apachectl start (13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Discussion started by: ibmer414
1 Replies

9. UNIX for Dummies Questions & Answers

Write privilege for user

Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory? My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
Discussion started by: here2learn
3 Replies
Login or Register to Ask a Question