Hello,
I have a wrapper script that I am trying to build/execute, which has two different sub scripts, which run as two separate users.
Purpose is to mask the contents of the script and allow the user to execute utlrp.sql, which requires sys level privs to execute.
User FORD logs in, and executes the wrapper script, wrapper.sh
The wrapper script presents it's content in menu format. Here is what the wrapper.sh
execute one.sql
execute two.sql and three.sql
execute three.sql
A
one.sql
requires no specific credentials
B
two.sql
REQUIRES FORD credentials to execute.
has logid check at beginning and kicks you out if you aren't the FORD user.
three.sql
requires "ORACLE" credentials to log in and execute utilrp.sql -- which requires to log in as sys for execution.
C
three.sql
Same as above, but only runs the utlrp.sql script.
So I edited sudousers (VISUDO) to implement the neccessary privs. (shown in RED)
Here is where I'm stuck. From my understanding, for the user to execute this via the sudo functionality, the main wrapper command would be executed as such:
sudo wrapper.sh. It prompts me for the menu as desired. When I choose A, it doesn't see user FORD...and kicks me out.
When I choose B or C, it works fine. It executes the second one fine, and logs in as sys executing the utlrp.sql.
So my question is this: Is there a way to configure the sudo set up so that user FORD executes the wrapper, passes user FORD to menu item A, but only passes it's self as the ORACLE user to menu items B or C for the sake of sqlplus as sys?
Thanks.
Last edited by rbatte1; 12-09-2016 at 10:35 AM..
Reason: Converted to formatted letter number-list
To keep the forums high quality for all users, please take the time to format your posts correctly.
First of all, use Code Tags when you post any code or data samples so others can easily read your code. You can easily do this by highlighting your code and then clicking on the # in the editing menu. (You can also type code tags [code] and [/code] by hand.)
Second, avoid adding color or different fonts and font size to your posts. Selective use of color to highlight a single word or phrase can be useful at times, but using color, in general, makes the forums harder to read, especially bright colors like red.
Third, be careful when you cut-and-paste, edit any odd characters and make sure all links are working property.
Thank you for the response. Sorry for the color, I didn't realize it would be such a sensitive issue.
As for the recommendation, I don't know that it would fulfill the same security needs, as it would make the script it's self owned by the user, which means that the user could also see it, yes?
Also, by putting the sudo command inside the script, wouldn't that fork off another sub-shell to run the subsequent commands?
You can't really run code as a different user without putting it in a subshell.
Using sudo inside the script would probably mean splitting off a few more scripts from it so you can put them all in sudoers appropriately, which would mean the parts you wouldn't want seen wouldn't be. If someone sees the code for the menu, who cares, as long as it hasn't got the passwords?
Correct. It doesn't matter, as I'm not using passwords.
For this level of DB login, as SYS, it's not the conventional login/pw sequence.
normal would be
for this, I need to be able to execute AS ORACLE USER
It will only allow the oracle os user to use this login process.
Oracle is complex in this way that the sys user can log into a layer under the database.
AND unfortunately, this specific oracle script/command REQUIRES to be logged into the database as SYS.
Having said that, I have made progress based upon your suggestions. Thank you.
I am able to now execute the wrapper script and option 1 executes as FORD.
I'm not testing option 2, simply because it's a combo of 1 and 3.
So testing option 3, it's a partial success/fail.
I can tell that it is executing as oracle, because oracle user is the only one allowed to see or execute the script.
But the Oracle security doesn't like something, as the second part of the 2 step login is failing.
That part of the script is as follows.
It's telling me invalid user/pass.
Then tries to execute the script, which of course is failing.
So chasing that now.
Also, for giggles, I tried the following at the command line (AS ORACLE)
And it worked flawlessly.
Ran the same thing as FORD, and it runs the first line, but then fails on the next.
I want to give root access to a user called denielr on server - tsprd01, but do not want to share root password. I have sudoers configured already.
He should have all access equal to root. I made this entry in /etc/sudoers, but it is not working
denielr tsprd01 =(root) NOPASSWD: ALL
I tried to... (2 Replies)
Hi, Have a need to run the below command as a "karuser" from a java class which will is running as "root" user. When we are trying to run the below command from java code getting the below error.
Command:
sudo -u karuser -s /bin/bash /bank/karunix/bin/build_cycles.sh
Error:
sudo: sorry,... (8 Replies)
Hi All,
I running a unix command using sudo option inside shell script. Its working well. But in crontab the same command is not working and its throwing
"sudo: sorry, you must have a tty to run sudo". I do not have root permission to add or change settings for my userid. I can not even ask... (9 Replies)
I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this:
#!/bin/bash
rsync /path/on/local/machine/ foo.com:path/on/remote/machine/
ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
I'm using virtual file-system in /proc/ to print out 1) current working directory (CWD): ls /proc/$PID/cwd
2) command line*: cat /proc/$PID/cmdline
and 3) # of open files: ls /proc/$PID/fdinfo | wc -l
All above snippets are part of printfs.
Now, some processes complain about SUDO... (1 Reply)
Sudo In AIX, how to find out what commands have been run after a user sudo to another user? for example, user sam run 'sudo -u robert ksh' then run some commands, how can I (as root) find what commands have been run?
sudo.log only contains sudo event, no activity logging. (3 Replies)
we are looking at changing the way we get root on our network.
in our current system if an admin needs root access he just gets the root password and uses an su.
some of our staff have decided that a sudo to "/bin/sh" will be easer.
some of our staff think a sudo to "su -" will be better.
I... (0 Replies)
Hi! I'm very new to unix, so please keep that in mind with the level of language used if you choose to help :D Thanks!
When attempting to use sudo on and AIX machine with oslevel 5.1.0.0, I get the following error:
exec(): 0509-036 Cannot load program sudo because of the following errors:... (1 Reply)
Scenario: I have two servers, A and B. Server A is using autosys to connect to server B via ssh in order to run scripts. The scripts to be run on server B must be run by user "weblogic".
So what I did was make the autosys user connect with a ssh key from server A to server B. After that I... (3 Replies)