Sudo Not working on Solaris 10


 
Thread Tools Search this Thread
Operating Systems Solaris Sudo Not working on Solaris 10
# 1  
Old 07-06-2015
Sudo Not working on Solaris 10

Hi All, im a bit new to Solaris 10 iv been working on Redhat and cant seem to get the sudo working on Solaris 10Smilie

Iv installed the below packages via pkgadd command:
Code:
  gcc-4.7.2-sol10-x86-local
 libiconv-1.14-sol10-x86-local
 libintl-3.4.0-sol10-x86-local
  sudo-1.8.13-sol10-x86-local
 zlib-1.2.8-sol10-x86-local

The below script I wrote to add the user and edit the sudoers file so that the ccsadmin user can execute the commands listed.

Code:
 #!/bin/bash
  
 echo "WARNING this script will add user CCSADMIN and Modify permissions to M&R user this server, with predefined passwords, The script will delay for 10secs before it will start
 to create accounts"
 echo "############################## `sleep 5`############################"
  
 echo "Now adding and Modifying Users"
  
 useradd -d /export/home/ccsadmin -m -s /bin/bash -c "CCS user for Compliance Scanning" ccsadmin
 groupadd ccsadmin
 mkdir /export/home/ccsadmin/.ssh
 cd /export/home/ccsadmin
 chown -R ccsadmin:ccsadmin .
 chmod 700 /export/home/ccsadmin/.ssh
 touch /export/home/ccsadmin/.ssh/authorized_keys
 echo "ssh-dss AAAAB3NzaC1kc3MAAACAabEQZiLgxkqz+a3RNl6xI4l26R8fVtzK74bbcVQjTTDwIjz08+aoyPmdiSe7HoO2wKuy/MlWATP0dgtmtGsr755Aj98xg09bm1OwajSbtN2OBBWvq9HvSIdq/yi02SFKQXnxtp1mlSuqueoTLJiO7aceCysEcixRV9VD2lOnljMAAAAVALhTIYQmRkAXJhO+eYM4rm6TieYTAAAAgCWLg+2v16Br7re0IbZHc3juja4Wv6PNKekFmOz/r/1yR9X3S1vFiqlTnhHndRzmgwmPUIH6S1u1szSWC6ldRRyliydt5suot7uvxoAw7qT58r4hVbTl3/q5twCJWfW7xMzKyAwRy6Ssxg4LsxMZd2VClpJZGBqwj1E19Xa9CPyQAAAAgFyj/qnT1CyahPWGppgtL3TbyelZr9/NMvT86xfsVOjwM6rowXLp3mepMDN77IL71/6tQYj5qcHxynFlwBZK5cPqu7YdYpB6Ss23Z0kBzUwEolZaQXesZ/4p7AkhDKjk+md31cpqFpXdpYEgdXGy6TCUJ200vrB1xFtb6aVeMar8 CCS dsa-key-20110210" >> /export/home/ccsadmin/.ssh/authorized_keys
 echo "ssh-dss AAAAB3NzaC1kc3MAAACBAMdMrR0Pq7qhn0MI00ZJjCtsJ8rvAWMz7iaBjHZfs78Iy4SIkYS/rOXfZN+YhBlB9WGYmRVnbdEHe/w8zE4wYtRCiF7Xcyh9xFpK0bxJiKFDeQMLDdyiCGpkx85oyy/w466iWNNIzTTiZAE1pOe6KFf6IlNBGJfl4dMe0xlSluKNAAAAFQC+sGFXibhXHT8dKdIr7GX+13pl3QAAAIEAw9f4bs0AMsWN3gYbD4rdrg40Xlop559BW/G6SVcQ9KtS8QZAV2UbbceJnuESAacPUqQVB3NJGi34QuWrVMfOd4plpzi5sK8uyl0lqHGqZODC9uXQxmaKtNoZEcdfoD1v3nvFDiZxFiBDJpvRrmjLTrnVjL7pBQvqmLNMZDRlGvEAAACADqys82qDYpcPifGf2NLl5kuyHz0JpKz+qdI57sOX3dUDFyzLCaPAAG23vd+LRb9PPfNLvJ988t5B+M4kKD91WbNUz3AL0S20j15h6WAMFYpTdkO4k/4391XY28DLs5lxUNGgQEbrIdZqLp5vKPL59gzFRwLDzZjAPa3g4KtD65A= TripWire nCircle" >> /export/home/ccsadmin/.ssh/authorized_keys
 chmod 644 /export/home/ccsadmin/.ssh/authorized_keys
 chown -R ccsadmin:ccsadmin /export/home/ccsadmin/.ssh/authorized_keys
  
 sleep 3
 echo "Adjusting CCSADMIN Sudoers file"
  
 cp /usr/local/etc/sudoers /usr/local/etc/sudoers.backup
 echo '#######################'>> /usr/local/etc/sudoers
 echo '## Adding ccsadmin and relevant command permissions'>> /usr/local/etc/sudoers
 echo 'ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, E
 NVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /us
 r/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/n
 etstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs
 , /usr/bin/ls, /usr/bin/cut' >> /usr/local/etc/sudoers
 echo '## End of ccsadmin entry'>> /usr/local/etc/sudoers
 echo '#######################'>> /usr/local/etc/sudoers
 exit $?    #Exit with status 0 (successful. To check this, do echo $? after script execute

This is the Standard Sudoers File

Code:
 root@tcipidc01 # cat /usr/local/etc/sudoers
 # sudoers file.
 #
 # This file MUST be edited with the 'visudo' command as root.
 #
 # See the sudoers man page for the details on how to write a sudoers file.
 #
  
 # Host alias specification
  
 # User alias specification
  
 # Cmnd alias specification
  
 # Defaults specification
 Defaults logfile=/var/log/sudo.log
  
 # Runas alias specification
  
 # User privilege specification
 root    ALL=(ALL) ALL
 ccsadmin        ALL=(ALL) ALL
 hillsro         ALL=(ALL) ALL
  
 # Uncomment to allow people in group wheel to run all commands
 # %wheel        ALL=(ALL)       ALL
 %sysadmin  ALL=(ALL) ALL
  
 # Same thing without a password
 # %wheel        ALL=(ALL)       NOPASSWD: ALL
 %sysadmin  ALL=(ALL) ALL
  
 # Samples
 # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
 # %users  localhost=/sbin/shutdown -h now
 root@tcipidc01 #

After the script edit the sudoers file it looks like this below:


Code:
 [root@THC-A-01_NET0 08:48:36 /]#cat /usr/local/etc/sudoers
 ## sudoers file.
 ##
 ## This file MUST be edited with the 'visudo' command as root.
 ## Failure to use 'visudo' may result in syntax or file permission errors
 ## that prevent sudo from running.
 ##
 ## See the sudoers man page for the details on how to write a sudoers file.
 ##
  
 ##
 ## Host alias specification
 ##
 ## Groups of machines. These may include host names (optionally with wildcards),
 ## IP addresses, network numbers or netgroups.
 # Host_Alias    WEBSERVERS = www1, www2, www3
  
 ##
 ## User alias specification
 ##
 ## Groups of users.  These may consist of user names, uids, Unix groups,
 ## or netgroups.
 # User_Alias    ADMINS = millert, dowdy, mikef
  
 ##
 ## Cmnd alias specification
 ##
 ## Groups of commands.  Often used to group related commands together.
 # Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
 #                           /usr/bin/pkill, /usr/bin/top
  
 ##
 ## Defaults specification
 ##
 ## You may wish to keep some of the following environment variables
 ## when running commands via sudo.
 ##
 ## Locale settings
 # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
 ##
 ## Run X applications through sudo; HOME is used to find the
 ## .Xauthority file.  Note that other programs use HOME to find
 ## configuration files and this may lead to privilege escalation!
 # Defaults env_keep += "HOME"
 ##
 ## X11 resource path settings
 # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
 ##
 ## Desktop path settings
 # Defaults env_keep += "QTDIR KDEDIR"
 ##
 ## Allow sudo-run commands to inherit the callers' ConsoleKit session
 # Defaults env_keep += "XDG_SESSION_COOKIE"
 ##
 ## Uncomment to enable special input methods.  Care should be taken as
 ## this may allow users to subvert the command being run via sudo.
 # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
 ##
 ## Uncomment to enable logging of a command's output, except for
 ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
 # Defaults!/usr/local/bin/sudoreplay !log_output
 # Defaults!/sbin/reboot !log_output
  
 ##
 ## Runas alias specification
 ##
  
 ##
 ## User privilege specification
 ##
 root ALL=(ALL) ALL
  
 ## Uncomment to allow members of group wheel to execute any command
 # %wheel ALL=(ALL) ALL
  
 ## Same thing without a password
 # %wheel ALL=(ALL) NOPASSWD: ALL
  
 ## Uncomment to allow members of group sudo to execute any command
 # %sudo ALL=(ALL) ALL
  
 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).
 # Defaults targetpw  # Ask for the password of the target user
 # ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
  
 ## Read drop-in files from /usr/local/etc/sudoers.d
 ## (the '#' here does not indicate a comment)
 #includedir /usr/local/etc/sudoers.d
 #######################
 ## Adding ccsadmin and relevant command permissions
 ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, ENVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /usr/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/netstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs, /usr/bin/ls, /usr/bin/cut
 ## End of ccsadmin entry
 #######################
 #######################
 ## Adding ccsadmin and relevant command permissions
 ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, ENVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /usr/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/netstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs, /usr/bin/ls, /usr/bin/cut
 ## End of ccsadmin entry
 #######################


Please advise on how I can get the ccsadmin user to run the sudo commands.

Thanks

Last edited by jim mcnamara; 07-06-2015 at 12:31 PM..
# 2  
Old 07-06-2015
Quote:
Code:
The script will delay for 10secs before it will start
 to create accounts"
 echo "############################## `sleep 5`############################"

Keep the users on their toes eh? Smilie


Quote:
Code:
...SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, ENVCMDS...

Unless I'm missing it (and I might be, that sudoers has a lot of comments) you don't seem to be defining any of these aliases earlier in the file. I can't see how that would work.

BTW, using NOEXEC to limit all those binaries is not likely to keep someone out of a root shell if they are determined, unless those commands are the only ones being granted to the user.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Sudo not working on LDAP client machine

Hi, I have configured ldap manually on solaris 10/11 machine with below entries: # ldapclient list |grep sudo NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=SUDOers,dc=exm,dc=ple,dc=com # cat /etc/nsswitch.conf |grep -i sudo sudoers: files ldap # But groups available in LDAP server... (8 Replies)
Discussion started by: Sridaran
8 Replies

2. Shell Programming and Scripting

How to automatically run commands after SSH and SUDO not working?

I'm working on a script to SSH and SUDO as (sap user sidadm) then automatically run commands that the sidadm user can run such as R3trans -v, tp, etc.. I can SSH without password and SUDO.. but the commands don't run after I SSH and SUDO to the sidadm user...here is the commands that I've... (2 Replies)
Discussion started by: icemanj
2 Replies

3. Shell Programming and Scripting

sudo su - user not working

Hi All, I need your expertise to solve my problem, my account has permission to make sudo and su but when I try to switch user in a shell, it does not work with following message: "Sorry, user jmbeltra is not allowed to execute '/usr/bin/su -c echo HELLO THERE - oracle' as root on dbbr1k01" I... (4 Replies)
Discussion started by: Axtel
4 Replies

4. Red Hat

sudo is not working properly

This is the first time for using sudo for me. # visudo ## Allows people in group admin to run all commands %admin ALL=(ALL) ALL # groupadd admin # useradd temp # usermod -a -G admin temp # id temp uid=506(temp) gid=506(temp) groups=506(temp),507(admin) # #sudo... (5 Replies)
Discussion started by: getrue
5 Replies

5. Shell Programming and Scripting

sudo inside a here document not working

Have a sudo statement inside of a here document. It prompts me for a password, but doesnt wait for me to enter my password. Is there a way I can use the command without sudo or anyway that I can enter the password correctly? Eg : while read remotehost do ssh -t $2@$remotehost <<REMOTE... (13 Replies)
Discussion started by: mnanavati
13 Replies

6. Shell Programming and Scripting

sudo chmod not working through script

Legends, I am trying sudo chmod from one shell to different machine. but getting the error. Please let me know if there is any way to do this. A#pk} for i in Bl1 Brl1 >> do >> echo $i >> ssh $i sudo chmod 755 /etc/services >> done Bl1 Password: bash: sudo: command not found ... (2 Replies)
Discussion started by: sdosanjh
2 Replies

7. Shell Programming and Scripting

sudo + ulimit not working ?

When I use sudo with ulimit there is an error but if I use ulimit without sudo there is no error. In bash: user1@debian:~$ sudo -u user2 -H ulimit -S -c unlimited sudo: ulimit: command not found user1@debian:~$ user1@debian:/home/user1$ ulimit -S -c unlimited user1@debian:/home/user1$... (3 Replies)
Discussion started by: cyler
3 Replies

8. UNIX for Dummies Questions & Answers

sudo apt-get install build-essential not working

it asks for password and then following is displayed Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package build-essential what should i do to install g++ compiler? (4 Replies)
Discussion started by: sparkle
4 Replies

9. Shell Programming and Scripting

Sudo command not working with cron job.

Hello, I have written a script that has a sudo command to change file permissions within it. When I run the script manually, the sudo command inside of it works fine. When the script is run through crontab I get the error "cron: not found". It the same user profile that I am using... (6 Replies)
Discussion started by: WhotheWhat
6 Replies

10. UNIX for Advanced & Expert Users

sudo chmod not working

now running mac os x 10.53 and sudo chmod comes back with : operation not permitted. sample file: -rwxr-xr-x+ 1 1000 com.apple.monitor_all_services 276592 Jun 8 2007 342345.tif i am running as root. (1 Reply)
Discussion started by: Movomito
1 Replies
Login or Register to Ask a Question