AIX

Hello All,
I am trying to grant sudo privileges to a set of users (say tom and jerry) to sudo to another set of users (jim, harry). This is because we don't want to disclose the password of jim and harry.

I did defined the user_alias and runas alias.

Code:

%wms ALL = (USR) /usr/bin/su -, where  wms is the group to which (tom and jerry belong) and USR is the Runas_Alias for jim and harry

But, it is not liking it. I did multiple combinations but it ain't working.

I am running it on AIX 7.1, thanks in advance.

I am able to do it successfully by adding the below, but I have 9 users so I don't want to add 9 lines in sudoers file.

Code:

JDA    ALL = /usr/bin/su - jim, where JDA is User_Alias for tom and jerry

What do you mean "to sudo to another set of users"? Are you confusing sudo with su? Also, you can stack the two commands, for example, if tom types "sudo su - jim" he will use sudo to execute the su command, and become the jim user, without knowing jim's password. Additionally, the NOPASSWD option in the sudoers file will allow tom to do this without typing any password at all.

First, you have to create a command-alias: the command(s) you want to allow. Than you have to create a user-alias: the (group of) user(s) you want to make use of the allowed commands. Finally you have to create a rule, where you state that the users in user-alias are allowed to execute the commands in command-alias. (I skipped the host-alias as this seems to be no issue here.)

That is the general outline of what you have to do. Please post these three definitions from your file /etc/sudoers here, then we can evaluate what you have done and what went wrong.

I hope this helps.

bakunin

Alright here is what I did

Code:

User_Alias JDA = rlalgudi, kwalker, ndevries, afitzpat
Runas_Alias DA = wmstst, modtst, emstst, remtst
JDA  ALL = (DA) ALL

Also, I have tried using

Code:

%wms ALL = (DA) /usr/bin/su -, where wms is the group to which User_Alias users belong to

I want to achieve all this in one command, instead of specifying the access to each user. Like it is working if I do the below

Code:

%wms ALL = /usr/bin/su - wmstst

But when I try to use Runas_Alias instead of single user I get the below.

Code:

kwalker@myaixhost:/home/kwalker:$ sudo -l
User kwalker may run the following commands on this host:
    (wmstst, modtst, emstst, remtst) ALL
kwalker@myaixhost:/home/kwalker:$ sudo su - emstst
Sorry, user kwalker is not allowed to execute '/usr/bin/su - emstst' as root on myaixhost.

If i am not mistaken you can include user groups in the User_Alias definition. If you have already a Unix group for this i suggest you use this instead of specifying another group in the sudoers file. This is easier to maintain.

If you want to switch to another user you have to use the "su" command as "root", sudos complaint was basically that you have no rule defining such a privilege for the users you want to be able to become other users. A "Runas_Alias" defines the (effective) user (ID) under which to run the command. You have allowed all users in JDA to run all commands as one of the users in DA - certainly not what you wanted. (To test my assumption: try "sudo -u emstst /bin/ls" as user "kwalker". This should work - you have run "/bin/ls" under the effective user ID of emstst.)

Delete the Runas_Alias. Define a Cmnd_Alias with the commands "su - wmstst", "su - modtst", etc., then allow the user "User_Alias-Name" to run command "Cmnd_Alias-Name" as root. This should work.

I hope this helps.

bakunin

It ain't working can you provide me the syntax?

---------- Post updated at 12:33 PM ---------- Previous update was at 12:11 PM ----------

Thanks Bakunin, that was it, I was able to achieve using

Code:

Cmnd_Alias

As you mentioned above.

This is what I did

Code:

User_Alias JDA = tom, julie, harry
Cmnd_Alias CMD = /usr/bin/su - wmstst,/usr/bin/su - emstst, /usr/bin/su - modtst
JDA ALL=CMD,   also I tried %groupname, which works fine too, but I rather go with User_Alias

Thanks a lot again!

I am glad it worked out for you. What you did was exactly what i had in mind.

Moderator's Comments:

Changed thread title to SOLVED.

bakunin