From mlh at zip.com.au Sun Feb 1 17:15:08 2009 From: mlh at zip.com.au (Matthew Hannigan) Date: Mon, 2 Feb 2009 09:15:08 +1100 Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards In-Reply-To: <49831244.4CAF.003C.0@CBC.CA> References: <49831244.4CAF.003C.0@CBC.CA> Message-ID: <20090201221508.GD7406@evofed.localdomain> On Fri, Jan 30, 2009 at 02:44:21PM -0500, Julian Dunn wrote: > > Hi sudoers: > > I have the same problem as this individual: > > http://www.sudo.ws/mailman/htdig/sudo-users/2008-November/003814.html > > I'm on RedHat Enterprise Linux 5.3 and so I have sudo-1.6.9p17-3.el5 > > I want to give myself the permission to run anything matching /etc/init.d/tomcat5-sb* without a password, so I have > > % sudo -l > User jdunn may run the following commands on this host: > (ALL) ALL > (root) NOPASSWD: /usr/bin/install, /etc/init.d/tomcat5-sb*, /etc/init.d/cbcsandboxes > (root) /etc/init.d/tomcat5-sb20 > (cruise) /usr/bin/cvs > (webmaster) ALL > > However, I still keep getting prompted for a password when executing anything of /etc/init.d/tomcat5-* > Are /etc/init.d/tomcat5-sb* executable? From Julian.Dunn at CBC.CA Sun Feb 1 22:41:46 2009 From: Julian.Dunn at CBC.CA (Julian Dunn) Date: Sun, 01 Feb 2009 22:41:46 -0500 Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards Message-ID: <4986252A0200003C000691F1@mtlnwgwiaout.mtl.cbc.ca> They're symbolic links to /etc/init.d/tomcat5 which is executable. - Julian >>> Matthew Hannigan 02/01/09 5:16 PM >>> On Fri, Jan 30, 2009 at 02:44:21PM -0500, Julian Dunn wrote: > > Hi sudoers: > > I have the same problem as this individual: > > http://www.sudo.ws/mailman/htdig/sudo-users/2008-November/003814.html > > I'm on RedHat Enterprise Linux 5.3 and so I have sudo-1.6.9p17-3.el5 > > I want to give myself the permission to run anything matching /etc/init.d/tomcat5-sb* without a password, so I have > > % sudo -l > User jdunn may run the following commands on this host: > (ALL) ALL > (root) NOPASSWD: /usr/bin/install, /etc/init.d/tomcat5-sb*, /etc/init.d/cbcsandboxes > (root) /etc/init.d/tomcat5-sb20 > (cruise) /usr/bin/cvs > (webmaster) ALL > > However, I still keep getting prompted for a password when executing anything of /etc/init.d/tomcat5-* > Are /etc/init.d/tomcat5-sb* executable? ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From christian.peper at kpn.com Mon Feb 2 05:41:52 2009 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Mon, 2 Feb 2009 11:41:52 +0100 Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards In-Reply-To: <49831244.4CAF.003C.0@CBC.CA> References: <49831244.4CAF.003C.0@CBC.CA> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101E922B5@KKWNLEX182.kpnnl.local> > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Julian Dunn > Sent: Friday, January 30, 2009 8:44 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards > > I'm on RedHat Enterprise Linux 5.3 and so I have sudo-1.6.9p17-3.el5 > > I want to give myself the permission to run anything matching > /etc/init.d/tomcat5-sb* without a password, so I have > > % sudo -l > User jdunn may run the following commands on this host: > (ALL) ALL > (root) NOPASSWD: /usr/bin/install, > /etc/init.d/tomcat5-sb*, /etc/init.d/cbcsandboxes > (root) /etc/init.d/tomcat5-sb20 > (cruise) /usr/bin/cvs > (webmaster) ALL > > However, I still keep getting prompted for a password when > executing anything of /etc/init.d/tomcat5-* Julian, I don't know if sudo -l preserves the order things it gets from sudoers, but the line (ALL) ALL matches *before* (root) NOPASSWD... I've had this happen to me on some occasions and putting more specific rules first before listing things like (ALL) ALL etc. helps. Just an idea. Chris. From Julian.Dunn at CBC.CA Mon Feb 2 08:33:33 2009 From: Julian.Dunn at CBC.CA (Julian Dunn) Date: Mon, 02 Feb 2009 08:33:33 -0500 Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards Message-ID: <4986AFDD0200003C0006921A@mtlnwgwiaout.mtl.cbc.ca> (Apologies in advance for the top replies as I am forced to use Novell Groupwise) Thanks for the suggestion but the other commands listed under "(root) NOPASSWD" work fine -- I can run /usr/bin/install and /etc/init.d/cbcsandboxes with no password. Any of the /etc/init.d/tomcat5-sb* are the only command which prompt me for a sudo password. - Julian >>> 02/02/09 5:44 AM >>> > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Julian Dunn > Sent: Friday, January 30, 2009 8:44 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards > > I'm on RedHat Enterprise Linux 5.3 and so I have sudo-1.6.9p17-3.el5 > > I want to give myself the permission to run anything matching > /etc/init.d/tomcat5-sb* without a password, so I have > > % sudo -l > User jdunn may run the following commands on this host: > (ALL) ALL > (root) NOPASSWD: /usr/bin/install, > /etc/init.d/tomcat5-sb*, /etc/init.d/cbcsandboxes > (root) /etc/init.d/tomcat5-sb20 > (cruise) /usr/bin/cvs > (webmaster) ALL > > However, I still keep getting prompted for a password when > executing anything of /etc/init.d/tomcat5-* Julian, I don't know if sudo -l preserves the order things it gets from sudoers, but the line (ALL) ALL matches *before* (root) NOPASSWD... I've had this happen to me on some occasions and putting more specific rules first before listing things like (ALL) ALL etc. helps. Just an idea. Chris. From amacmurray at msn.com Thu Feb 5 21:38:52 2009 From: amacmurray at msn.com (Anna Jones) Date: Thu, 5 Feb 2009 21:38:52 -0500 Subject: [sudo-users] Restricting the execution of commands to a specific directory tree? Message-ID: Hi All, I need to configure a user called web to execute the following commands "rm, chmod, chgrp" on the specific directory tree "/usr/local/apache2/htdocs" using sudo. I don't want web to be able to use these commands on any other system directories. Does any one know how to configure this with visudo? Thank you for you support. Please reply to all so I can get this at work. Anna From spinler.patrick at mayo.edu Fri Feb 6 10:33:40 2009 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Fri, 06 Feb 2009 09:33:40 -0600 Subject: [sudo-users] Restricting the execution of commands to a specific directory tree? In-Reply-To: References: Message-ID: <498C5854.8030904@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anna Jones wrote: > Hi All, > > I need to configure a user called web to execute the following commands "rm, chmod, chgrp" on the specific directory tree "/usr/local/apache2/htdocs" using sudo. I don't want web to be able to use these commands on any other system directories. Does any one know how to configure this with visudo? > > Thank you for you support. > Please reply to all so I can get this at work. > > Anna For what it's worth - I did something similar for chown and chmod. I did not attempt to get the generic commands "chown" and "chmod" to work. There's a fundimental problem - if someone can chmod or chown arbitrary files / owners and permissions, even in a limited directory tree, then cracking root on the machine is as simple as: cp /bin/sh my_directory_path chown root my_directory_path/sh chmod u+s my_directory_path/sh my_directory_path/sh It gets even worse when you begin considering things like symlinks in your directory tree pointing to utilities like /bin/sh. Instead, I wrote somewhat more secure replacements in Perl running in taint mode, which limited the users and groups that could be chown'd to and from, and limited the directory tree that this could be done in (processing for symlinks and the like, also). Then, I allowed specified users to use sudo to invoke these perl scripts. If you'd like, I can send you a copy of my chown and chmod scripts. - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJjFhUNObCqA8uBswRApU4AJ9s/GLhajUZjkqToXza89zoHLV7sgCeK9+1 2Y4KPE2mr3TZPpUAFCItsLE= =e9IC -----END PGP SIGNATURE----- From matthew.barrett at iovate.com Fri Feb 6 12:55:19 2009 From: matthew.barrett at iovate.com (Matthew Barrett) Date: Fri, 06 Feb 2009 12:55:19 -0500 Subject: [sudo-users] How do I use visudo to allow users to su another account? Message-ID: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> I have regular users who need to sudo to an account with web directory access to update web sites. Some can "sudo - webuser" and enter their password with no problem. One user could before and now have lost the ability. I've taken over the responsibility and am not sure how to do this. Any ideas would be appreciated? matthew.barrett at iovate.com From Vijaya.Pidugu at sig.com Fri Feb 6 13:00:42 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Fri, 6 Feb 2009 13:00:42 -0500 Subject: [sudo-users] How do I use visudo to allow users to su another account? In-Reply-To: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> References: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> Message-ID: Create a script and enable that user to be able to run that script. Make sure the script is owned by root and has only execute for others. The script should have "su - useraccount"! -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Matthew Barrett Sent: Friday, February 06, 2009 12:55 PM To: Sudo USers Subject: [sudo-users] How do I use visudo to allow users to su another account? I have regular users who need to sudo to an account with web directory access to update web sites. Some can "sudo - webuser" and enter their password with no problem. One user could before and now have lost the ability. I've taken over the responsibility and am not sure how to do this. Any ideas would be appreciated? matthew.barrett at iovate.com ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Radesh_Singh at ml.com Fri Feb 6 13:22:10 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Fri, 6 Feb 2009 13:22:10 -0500 Subject: [sudo-users] How do I use visudo to allow users to su anotheraccount? In-Reply-To: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> References: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> Message-ID: <1F083E3510811D4B82611186F74DB1C101685E37@MLNYA20MB010.amrs.win.ml.com> Matt, Should be straightforward. I'm sure you've got something like: e.g. mbarrett ALL=(root) /usr/bin/su - webuser or %somegroup ALL=(root) /usr/bin/su - webuser In the second case, have any of the group memberships changed? Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - "Unix is user-friendly. It's just very selective about who its friends are." -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Matthew Barrett Sent: Friday, February 06, 2009 12:55 PM To: Sudo USers Subject: [sudo-users] How do I use visudo to allow users to su anotheraccount? I have regular users who need to sudo to an account with web directory access to update web sites. Some can "sudo - webuser" and enter their password with no problem. One user could before and now have lost the ability. I've taken over the responsibility and am not sure how to do this. Any ideas would be appreciated? matthew.barrett at iovate.com ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- From gauthier at mac.com Fri Feb 6 13:44:06 2009 From: gauthier at mac.com (Glenn Gauthier) Date: Fri, 06 Feb 2009 10:44:06 -0800 Subject: [sudo-users] How do I use visudo to allow users to su another account? In-Reply-To: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> References: <1233942919.20277.13.camel@hq-ux-mbar.iovate.com> Message-ID: <841BE23B-EA18-48FE-807F-3F14309F7EA5@mac.com> I haven't tried this, but I think this would work: ALL ALL=/usr/bin/su - webuser On Feb 6, 2009, at 9:55 AM, Matthew Barrett wrote: > I have regular users who need to sudo to an account with web directory > access to update web sites. Some can "sudo - webuser" and enter their > password with no problem. One user could before and now have lost the > ability. I've taken over the responsibility and am not sure how to do > this. Any ideas would be appreciated? > > matthew.barrett at iovate.com > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From Hullen at t-online.de Sun Feb 8 09:38:00 2009 From: Hullen at t-online.de (Helmut Hullen) Date: 08 Feb 2009 15:38:00 +0100 Subject: [sudo-users] sudoers and "perl" Message-ID: Hallo, sudo-users, maybe I only haven't found the right place ... can I define sudoers "Cmnd" lines for "perl" functions, p.e. for "readdir"? The functions are part of a long perl script. Viele Gruesse! Helmut From Todd.Miller at courtesan.com Sun Feb 8 10:48:46 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 08 Feb 2009 10:48:46 -0500 Subject: [sudo-users] sudoers and "perl" In-Reply-To: Your message of "08 Feb 2009 15:38:00 +0100." References: Message-ID: <200902081548.n18FmkOX029856@core.courtesan.com> In message so spake "Helmut Hullen" (Hullen): > maybe I only haven't found the right place ... > > can I define sudoers "Cmnd" lines for "perl" functions, p.e. for > "readdir"? > > The functions are part of a long perl script. I'm afraid not. Sudo can only be used to run executables or scripts; you can't use it to run a perl function. Now, you _could_ do something like run a command (such as ls) from your perl script to get the contents of a directory. But you wouldn't be able to actually open those files from your perl script. - todd From Hullen at t-online.de Sun Feb 8 11:17:00 2009 From: Hullen at t-online.de (Helmut Hullen) Date: 08 Feb 2009 17:17:00 +0100 Subject: [sudo-users] sudoers and "perl" In-Reply-To: <200902081548.n18FmkOX029856@core.courtesan.com> Message-ID: Hallo, Todd, Du meintest am 08.02.09 zum Thema Re: [sudo-users] sudoers and "perl": >> can I define sudoers "Cmnd" lines for "perl" functions, p.e. for >> "readdir"? > I'm afraid not. Sudo can only be used to run executables or scripts; Ok - that saves some hours of useless work. Viele Gruesse! Helmut From holt at sgi.com Mon Feb 9 12:48:15 2009 From: holt at sgi.com (Robin Holt) Date: Mon, 9 Feb 2009 11:48:15 -0600 Subject: [sudo-users] Filename globbing in /etc/sudoers causes very slow sudo command execution. Message-ID: <20090209174815.GR8577@sgi.com> We recently upgraded a system which had a vendor provided sudo 1.6.8p12. Their upgraded install has sudo 1.6.9p17. Following the upgrade we found that the time to do; date; sudo date; date would give us many minutes between the first and second date output lines. We narrowed it down to /etc/sudoers lines that contain '*' in them. These lines allow users to set up a build environment. We realize they are not entirely safe, but they are adequate to prevent people from making mistakes that could wipe out a system. Unfortunately, the users do need root to do the setups. According to the sudoers man page, filename matching is supposed to be done with fnmatch. If I write a simple program that uses fnmatch(), that does resolve true/false very quickly. Likewise, if I recompile the 1.6.8p12 version for the newly installed OS, the problem is resolved. The glob lines expand directories that may be autofs mounted nfs mounts from other hosts. The group of build servers has a collective storage size on the order of 30TB. If I strace the sudo command, I do see it opening each file, stat'ing it, closing it, etc. With the old command, it runs too quickly for me to find its pid and attach. Thanks, Robin Holt From Todd.Miller at courtesan.com Mon Feb 9 13:53:07 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 09 Feb 2009 13:53:07 -0500 Subject: [sudo-users] Filename globbing in /etc/sudoers causes very slow sudo command execution. In-Reply-To: Your message of "Mon, 09 Feb 2009 11:48:15 CST." <20090209174815.GR8577@sgi.com> References: <20090209174815.GR8577@sgi.com> Message-ID: <200902091853.n19Ir7oT023068@core.courtesan.com> In sudo 1.6.9 sudo uses glob() for pathname globbing which does look at the filesystem. Depending on the sudoers rules you have and your automount setup this could cause an automount storm. Using glob() fixes some real problems, for instance http://www.gratisoft.us/bugzilla/show_bug.cgi?id=143 I am considering adding a option to allow users to switch back to the old method if they don't care about the issues it introduces. - todd From holt at sgi.com Mon Feb 9 14:18:32 2009 From: holt at sgi.com (Robin Holt) Date: Mon, 9 Feb 2009 13:18:32 -0600 Subject: [sudo-users] Filename globbing in /etc/sudoers causes very slow sudo command execution. In-Reply-To: <200902091853.n19Ir7oT023068@core.courtesan.com> References: <20090209174815.GR8577@sgi.com> <200902091853.n19Ir7oT023068@core.courtesan.com> Message-ID: <20090209191832.GS8577@sgi.com> On Mon, Feb 09, 2009 at 01:53:07PM -0500, Todd C. Miller wrote: > In sudo 1.6.9 sudo uses glob() for pathname globbing which does > look at the filesystem. Depending on the sudoers rules you have > and your automount setup this could cause an automount storm. > > Using glob() fixes some real problems, for instance > http://www.gratisoft.us/bugzilla/show_bug.cgi?id=143 > > I am considering adding a option to allow users to switch back to > the old method if they don't care about the issues it introduces. How difficult would that be to implement? This is hindering us from using 1.6.9 from the vendor. Could a patch be made available for their version as well? I hope it sounds like I am groveling because that is how I feel ;) Thanks, Robin From Todd.Miller at courtesan.com Mon Feb 9 15:30:35 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 09 Feb 2009 15:30:35 -0500 Subject: [sudo-users] Filename globbing in /etc/sudoers causes very slow sudo command execution. In-Reply-To: Your message of "Mon, 09 Feb 2009 13:18:32 CST." <20090209191832.GS8577@sgi.com> References: <20090209174815.GR8577@sgi.com> <200902091853.n19Ir7oT023068@core.courtesan.com> <20090209191832.GS8577@sgi.com> Message-ID: <200902092030.n19KUZg2012606@core.courtesan.com> In message <20090209191832.GS8577 at sgi.com> so spake Robin Holt (holt): > How difficult would that be to implement? This is hindering us from > using 1.6.9 from the vendor. Could a patch be made available for their > version as well? I hope it sounds like I am groveling because that is > how I feel ;) Not hard. I just did a proof of concept change for the 1.7 branch. I'll take a look at back-porting that once I've tested it a bit more. - todd From Jamuna.Manjunatha at ironmountain.com Mon Feb 9 11:05:02 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Mon, 9 Feb 2009 11:05:02 -0500 Subject: [sudo-users] question about sudo Message-ID: Hi, I have set up a sudo such that I have disabled "bash" for all the users, So that every activity gets logged in /var/log/messages. Now a user with sudo access has some bash scripts that require "bash" to run the scripts. I can give him ONLY that access by modifying the /etc/sudoers file But then what ever he does after typing "sudo bash" DOES NOT Get logged:-( Can I still give him "sudo bash" access & still be able to login all his activity after he becomes "sudo bash"?? OR How do I go about modifying the bash script?? so every activity gets logged?? Any help would be greatly appreciated. You guys have been very helpful.. Thanks a bunch!! Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From Jamuna.Manjunatha at ironmountain.com Mon Feb 9 11:05:35 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Mon, 9 Feb 2009 11:05:35 -0500 Subject: [sudo-users] sudo using bash scripts In-Reply-To: Message-ID: Hi, I have set up a sudo such that I have disabled ?bash? for all the users, So that every activity gets logged in /var/log/messages. Now a user with sudo access has some bash scripts that require ?bash? to run the scripts. I can give him ONLY that access by modifying the /etc/sudoers file But then what ever he does after typing ?sudo bash? DOES NOT Get logged? Can I still give him ?sudo bash? access & still be able to login all his activity after he becomes ?sudo bash??? OR How do I go about modifying the bash script?? so every activity gets logged?? Any help would be greatly appreciated. You guys have been very helpful.. Thanks a bunch!! Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From vadud3 at gmail.com Fri Feb 13 09:23:31 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 09:23:31 -0500 Subject: [sudo-users] Installing Application without full sudo privilege Message-ID: Hi All My application team needs to install Oracle on hosts. They are asking for full sudo privilege, so that they can install app as root. Is there a lesser privilege that you can suggest then user ALL=(ALL) ALL Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From mmdongare at gmail.com Fri Feb 13 11:43:07 2009 From: mmdongare at gmail.com (Makarand Dongare) Date: Fri, 13 Feb 2009 11:43:07 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: Message-ID: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> First thing is that Oracle does not need to be installed as root. There are couple of scripts that need to be run as rootpre.sh or root.sh. Once you do that for app team, they do not need root access for anything. If you want to give them root access to run those scripts then give it as below: oracle servername=(root) full-path-for-command Hope this helps. Makarand Dongare On 2/13/09, Asif Iqbal wrote: > Hi All > > My application team needs to install Oracle on hosts. They are asking > for full sudo privilege, so that they can install app as root. > > Is there a lesser privilege that you can suggest then > user ALL=(ALL) ALL > > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From vadud3 at gmail.com Fri Feb 13 12:16:40 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 12:16:40 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare wrote: > First thing is that Oracle does not need to be installed as root. > There are couple of scripts that need to be run as rootpre.sh or > root.sh. Once you do that for app team, they do not need root access > for anything. > If you want to give them root access to run those scripts then give it as below: > > oracle servername=(root) full-path-for-command What if the path name is differnet for different env? Can I do it like this /*/root.sh for path? > > Hope this helps. > > Makarand Dongare > > > On 2/13/09, Asif Iqbal wrote: >> Hi All >> >> My application team needs to install Oracle on hosts. They are asking >> for full sudo privilege, so that they can install app as root. >> >> Is there a lesser privilege that you can suggest then >> user ALL=(ALL) ALL >> >> Thanks >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> ____________________________________________________________ >> sudo-users mailing list >> For list information, options, or to unsubscribe, visit: >> http://www.sudo.ws/mailman/listinfo/sudo-users >> > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Fri Feb 13 14:03:39 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:03:39 -0500 Subject: [sudo-users] [sudo-workers] Installing Application without fullsudo privilege In-Reply-To: <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> Message-ID: On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo wrote: > >From a security point of view that's not recommended. Someone could > create a malicious script called "root.sh" in any directory and you'd be > allowing to run it as root. That is a serious risk. I realized that right after I hit the sent button. So basically even full path won't help if the user have write access to any of the parent dir. So /this/is/the/path/to/the/script.sh can be manipulated if the user have access to say /this/is/the. Is there a better way to give sudo priv to a script short of the whole path and hoping user can't or won't play with the path? > > Regards, > Edgar Olvera > > -----Mensaje original----- > De: sudo-workers-bounces at courtesan.com > [mailto:sudo-workers-bounces at courtesan.com] En nombre de Asif Iqbal > Enviado el: Viernes, 13 de Febrero de 2009 11:17 a.m. > Para: Makarand Dongare > CC: sudo-users at sudo.ws; sudo-workers at sudo.ws > Asunto: Re: [sudo-workers] [sudo-users] Installing Application without > fullsudo privilege > > On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare > wrote: >> First thing is that Oracle does not need to be installed as root. >> There are couple of scripts that need to be run as rootpre.sh or >> root.sh. Once you do that for app team, they do not need root access >> for anything. >> If you want to give them root access to run those scripts then give it > as below: >> >> oracle servername=(root) full-path-for-command > > What if the path name is differnet for different env? Can I do it like > this /*/root.sh for path? > >> >> Hope this helps. >> >> Makarand Dongare >> >> >> On 2/13/09, Asif Iqbal wrote: >>> Hi All >>> >>> My application team needs to install Oracle on hosts. They are asking >>> for full sudo privilege, so that they can install app as root. >>> >>> Is there a lesser privilege that you can suggest then >>> user ALL=(ALL) ALL >>> >>> Thanks >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> ____________________________________________________________ >>> sudo-users mailing list >>> For list information, options, or to unsubscribe, visit: >>> http://www.sudo.ws/mailman/listinfo/sudo-users >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From russell+sudo-users at loosenut.com Fri Feb 13 14:44:22 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 13 Feb 2009 11:44:22 -0800 Subject: [sudo-users] [sudo-workers] Installing Application without fullsudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> Message-ID: <20090213194422.GE22540@fubar.loosenut.com> Well, the more specific (deeper in the tree) you can specify, the better. Myself, I have more of a tendancy to just use aliases and then use a list of absolute paths where users don't have write access. In your first example, of course, /tmp/root.sh would also work (which I think you realized "right after you hit send"). As someone else said, as far as I know, there's pretty much NO reason to give Oracle users "root" once you do the install for them. Chances are you can just give them "oracle" and you're set (think that's what I've always done in the past, anyway, and it's worked fine). For those few incidents if/when they think they need root (don't think they do), they could come to me (or the admin team) and we could "fix it" for them... or add another very-specific-condition where they get root. Hope that helps... Russell On Fri, Feb 13, 2009 at 02:03:39PM -0500, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo > wrote: > > >From a security point of view that's not recommended. Someone could > > create a malicious script called "root.sh" in any directory and you'd be > > allowing to run it as root. That is a serious risk. > > I realized that right after I hit the sent button. So basically even > full path won't help if the user have write access to any > of the parent dir. > > So /this/is/the/path/to/the/script.sh can be manipulated if the user > have access to say /this/is/the. > > Is there a better way to give sudo priv to a script short of the whole > path and hoping user can't or won't > play with the path? > > > -----Mensaje original----- > > > > What if the path name is differnet for different env? Can I do it like > > this /*/root.sh for path? -- Russell M. Van Tassell russell at loosenut.com "No one is useless in this world who lightens the burdens of another." - Charles Dickens From vadud3 at gmail.com Fri Feb 13 14:50:41 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:50:41 -0500 Subject: [sudo-users] [sudo-workers] Installing Application without fullsudo privilege In-Reply-To: <20090213194422.GE22540@fubar.loosenut.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> <20090213194422.GE22540@fubar.loosenut.com> Message-ID: On Fri, Feb 13, 2009 at 2:44 PM, Russell Van Tassell wrote: > Well, the more specific (deeper in the tree) you can specify, the > better. Myself, I have more of a tendancy to just use aliases and then > use a list of absolute paths where users don't have write access. I like that alias tip a lot. so /usr/root.sh -> /path/to/some/root.sh and no user has write access to /usr I should be good unless I am overlooking some other security risk there > > In your first example, of course, /tmp/root.sh would also work (which I > think you realized "right after you hit send"). > > As someone else said, as far as I know, there's pretty much NO reason to > give Oracle users "root" once you do the install for them. Chances are > you can just give them "oracle" and you're set (think that's what I've > always done in the past, anyway, and it's worked fine). > > For those few incidents if/when they think they need root (don't think > they do), they could come to me (or the admin team) and we could "fix > it" for them... or add another very-specific-condition where they get > root. > > Hope that helps... > Russell > > On Fri, Feb 13, 2009 at 02:03:39PM -0500, Asif Iqbal wrote: >> On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo >> wrote: >> > >From a security point of view that's not recommended. Someone could >> > create a malicious script called "root.sh" in any directory and you'd be >> > allowing to run it as root. That is a serious risk. >> >> I realized that right after I hit the sent button. So basically even >> full path won't help if the user have write access to any >> of the parent dir. >> >> So /this/is/the/path/to/the/script.sh can be manipulated if the user >> have access to say /this/is/the. >> >> Is there a better way to give sudo priv to a script short of the whole >> path and hoping user can't or won't >> play with the path? >> >> > -----Mensaje original----- >> > >> > What if the path name is differnet for different env? Can I do it like >> > this /*/root.sh for path? > > -- > Russell M. Van Tassell > russell at loosenut.com > > "No one is useless in this world who lightens the burdens of another." > - Charles Dickens > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From mmdongare at gmail.com Fri Feb 13 14:56:10 2009 From: mmdongare at gmail.com (Makarand Dongare) Date: Fri, 13 Feb 2009 14:56:10 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> Message-ID: <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Just use root.sh without complete path as the oracle dba will need to cd to the path and run as sudo ./root.sh. This way it should work fine. On 2/13/09, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare > wrote: >> First thing is that Oracle does not need to be installed as root. >> There are couple of scripts that need to be run as rootpre.sh or >> root.sh. Once you do that for app team, they do not need root access >> for anything. >> If you want to give them root access to run those scripts then give it as >> below: >> >> oracle servername=(root) full-path-for-command > > What if the path name is differnet for different env? Can I do it like > this /*/root.sh for path? > >> >> Hope this helps. >> >> Makarand Dongare >> >> >> On 2/13/09, Asif Iqbal wrote: >>> Hi All >>> >>> My application team needs to install Oracle on hosts. They are asking >>> for full sudo privilege, so that they can install app as root. >>> >>> Is there a lesser privilege that you can suggest then >>> user ALL=(ALL) ALL >>> >>> Thanks >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> ____________________________________________________________ >>> sudo-users mailing list >>> For list information, options, or to unsubscribe, visit: >>> http://www.sudo.ws/mailman/listinfo/sudo-users >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > From vadud3 at gmail.com Fri Feb 13 14:57:38 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:57:38 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: > Just use root.sh without complete path as the oracle dba will need to > cd to the path and run as sudo ./root.sh. This way it should work > fine. very good idea !! > > > On 2/13/09, Asif Iqbal wrote: >> On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare >> wrote: >>> First thing is that Oracle does not need to be installed as root. >>> There are couple of scripts that need to be run as rootpre.sh or >>> root.sh. Once you do that for app team, they do not need root access >>> for anything. >>> If you want to give them root access to run those scripts then give it as >>> below: >>> >>> oracle servername=(root) full-path-for-command >> >> What if the path name is differnet for different env? Can I do it like >> this /*/root.sh for path? >> >>> >>> Hope this helps. >>> >>> Makarand Dongare >>> >>> >>> On 2/13/09, Asif Iqbal wrote: >>>> Hi All >>>> >>>> My application team needs to install Oracle on hosts. They are asking >>>> for full sudo privilege, so that they can install app as root. >>>> >>>> Is there a lesser privilege that you can suggest then >>>> user ALL=(ALL) ALL >>>> >>>> Thanks >>>> >>>> -- >>>> Asif Iqbal >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>> A: Because it messes up the order in which people normally read text. >>>> Q: Why is top-posting such a bad thing? >>>> ____________________________________________________________ >>>> sudo-users mailing list >>>> For list information, options, or to unsubscribe, visit: >>>> http://www.sudo.ws/mailman/listinfo/sudo-users >>>> >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Fri Feb 13 14:58:41 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:58:41 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 2:57 PM, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: >> Just use root.sh without complete path as the oracle dba will need to >> cd to the path and run as sudo ./root.sh. This way it should work >> fine. > > very good idea !! wait! that is actually bad idea. I can have a file /tmp/root.sh and the content is exec bash user can cd to /tmo and run ./root.sh. I think /usr/alias is a safer path > >> >> >> On 2/13/09, Asif Iqbal wrote: >>> On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare >>> wrote: >>>> First thing is that Oracle does not need to be installed as root. >>>> There are couple of scripts that need to be run as rootpre.sh or >>>> root.sh. Once you do that for app team, they do not need root access >>>> for anything. >>>> If you want to give them root access to run those scripts then give it as >>>> below: >>>> >>>> oracle servername=(root) full-path-for-command >>> >>> What if the path name is differnet for different env? Can I do it like >>> this /*/root.sh for path? >>> >>>> >>>> Hope this helps. >>>> >>>> Makarand Dongare >>>> >>>> >>>> On 2/13/09, Asif Iqbal wrote: >>>>> Hi All >>>>> >>>>> My application team needs to install Oracle on hosts. They are asking >>>>> for full sudo privilege, so that they can install app as root. >>>>> >>>>> Is there a lesser privilege that you can suggest then >>>>> user ALL=(ALL) ALL >>>>> >>>>> Thanks >>>>> >>>>> -- >>>>> Asif Iqbal >>>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>>> A: Because it messes up the order in which people normally read text. >>>>> Q: Why is top-posting such a bad thing? >>>>> ____________________________________________________________ >>>>> sudo-users mailing list >>>>> For list information, options, or to unsubscribe, visit: >>>>> http://www.sudo.ws/mailman/listinfo/sudo-users >>>>> >>>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From russell+sudo-users at loosenut.com Fri Feb 13 15:16:11 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 13 Feb 2009 12:16:11 -0800 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Message-ID: <20090213201611.GH22540@fubar.loosenut.com> [Removing sudo-workers, again, as this isn't a "code" issue] On Fri, Feb 13, 2009 at 02:57:38PM -0500, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: > > Just use root.sh without complete path as the oracle dba will need to > > cd to the path and run as sudo ./root.sh. This way it should work > > fine. > > very good idea !! Not sure I understand what you're getting at, here... but you'll still need the absolute path in the sudoers file, AFAIK. Getting back to the alias idea, I generally create Cmnd_Aliases in the sudoers file for "all" the paths they'll ever need. So, in the current example, I'd do something such as: Host_Alias NET_10_8 = 10.0.0.0/255.0.0.0 User_Alias ORACLE_ADMIN = %oracle Cmnd_Alias ORACLE_ROOT_SH = /opt/oracle/bin/root.sh, \ /usr/local/oracle/bin/root.sh ORACLE_ADMIN NET_10_8 = (oracle) ORACLE_ROOT_SH -- Russell M. Van Tassell russell at loosenut.com People who want to share their religious views with you almost never want you to share yours with them. From erh at nimenees.com Fri Feb 13 10:39:40 2009 From: erh at nimenees.com (Eric Haszlakiewicz) Date: Fri, 13 Feb 2009 09:39:40 -0600 Subject: [sudo-users] [sudo-workers] Installing Application without full sudo privilege In-Reply-To: References: Message-ID: <20090213153940.GA14789@nimenees.com> On Fri, Feb 13, 2009 at 09:23:31AM -0500, Asif Iqbal wrote: > Hi All > > My application team needs to install Oracle on hosts. They are asking > for full sudo privilege, so that they can install app as root. > > Is there a lesser privilege that you can suggest then > user ALL=(ALL) ALL If you're giving them access to run any program that they provide or have control over, then any lesser privilege is no different than the above because they can just change the program they are running to do what they want. You either need to trust them to behave themelves, or watch over their shoulder as they install it. eric From blfarrell at ra.rockwell.com Fri Feb 13 10:17:20 2009 From: blfarrell at ra.rockwell.com (Brian L Farrell) Date: Fri, 13 Feb 2009 09:17:20 -0600 Subject: [sudo-users] [sudo-workers] Installing Application without full sudo privilege In-Reply-To: Message-ID: Asif, If you setup the server properly (system settings for shared memory etc, account(s), group(s) etc). Then you only need root for the root.sh script. You can create a script to do the equivalent of the root.sh taking the oracle SID as an argument to do what you need done as root to support oracle installs. For information on analysis of locking down oracle you can check out project lockdown: http://www.oracle.com/technology/pub/articles/project_lockdown/index.html for more details. Then the sudo configuration is really only configuring it so that all dba's (controlled by a Unix group for simplicity) can run the oracle root command scripts: User_Alias DBALIST = %dbagroup Cmnd_Alias DBA_RUNAS_ROOT_COMMANDS = /path/to/oracle_root_commands_script DBA ALL = (root) DBA_RUNAS_ROOT_COMMANDS Hope this helps. Brian Farrell Asif Iqbal Sent by: sudo-workers-bounces at courtesan.com 02/13/2009 08:23 AM To sudo-users at sudo.ws, sudo-workers at sudo.ws cc Subject [sudo-workers] Installing Application without full sudo privilege Hi All My application team needs to install Oracle on hosts. They are asking for full sudo privilege, so that they can install app as root. Is there a lesser privilege that you can suggest then user ALL=(ALL) ALL Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers From mlh at zip.com.au Sun Feb 15 20:57:28 2009 From: mlh at zip.com.au (Matthew Hannigan) Date: Mon, 16 Feb 2009 12:57:28 +1100 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: <20090213201611.GH22540@fubar.loosenut.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> <20090213201611.GH22540@fubar.loosenut.com> Message-ID: <20090216015728.GF18841@evofed.localdomain> On Fri, Feb 13, 2009 at 12:16:11PM -0800, Russell Van Tassell wrote: > > [Removing sudo-workers, again, as this isn't a "code" issue] > > On Fri, Feb 13, 2009 at 02:57:38PM -0500, Asif Iqbal wrote: > > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: > > > Just use root.sh without complete path as the oracle dba will need to > > > cd to the path and run as sudo ./root.sh. This way it should work > > > fine. > > > > very good idea !! > > Not sure I understand what you're getting at, here... but you'll still > need the absolute path in the sudoers file, AFAIK. > > Getting back to the alias idea, I generally create Cmnd_Aliases in the > sudoers file for "all" the paths they'll ever need. So, in the current > example, I'd do something such as: > > Host_Alias NET_10_8 = 10.0.0.0/255.0.0.0 > User_Alias ORACLE_ADMIN = %oracle > Cmnd_Alias ORACLE_ROOT_SH = /opt/oracle/bin/root.sh, \ > /usr/local/oracle/bin/root.sh > > ORACLE_ADMIN NET_10_8 = (oracle) ORACLE_ROOT_SH This is better but implies you (the sysadmin) will have to maintain root.sh. That implies reviewing it and possibly reinstalling for every new version of Oracle at least. You might need multiple versions. Even then it will give you a false sense of security. I can see a few places in root.sh that could be exploited to give the person who runs it extra privileges. It uses backticks and unquoted variables as well as trusting its environment to a scertain degree. It also invokes non-root owned sub programs. You probably have to rewrite it partly to make it secure and yet make it compatible enough with the vendor version. This is a significant responsibility for the sysadmin! The proper solution to this mess is to have Oracle simplify and improve their installation procedure. Currently either sysadmin has to trust their DBA (at least for the duration of the install) or the sysadmin has to run root.sh for them. Even here the sysadmin has to eyeball the script and check his environment and the programs it calls in turn beforehand. From vadud3 at gmail.com Mon Feb 16 16:15:20 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 16 Feb 2009 16:15:20 -0500 Subject: [sudo-users] Installing Application without full sudo privilege In-Reply-To: <20090216015728.GF18841@evofed.localdomain> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> <20090213201611.GH22540@fubar.loosenut.com> <20090216015728.GF18841@evofed.localdomain> Message-ID: On Sun, Feb 15, 2009 at 8:57 PM, Matthew Hannigan wrote: > On Fri, Feb 13, 2009 at 12:16:11PM -0800, Russell Van Tassell wrote: >> >> [Removing sudo-workers, again, as this isn't a "code" issue] >> >> On Fri, Feb 13, 2009 at 02:57:38PM -0500, Asif Iqbal wrote: >> > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: >> > > Just use root.sh without complete path as the oracle dba will need to >> > > cd to the path and run as sudo ./root.sh. This way it should work >> > > fine. >> > >> > very good idea !! >> >> Not sure I understand what you're getting at, here... but you'll still >> need the absolute path in the sudoers file, AFAIK. >> >> Getting back to the alias idea, I generally create Cmnd_Aliases in the >> sudoers file for "all" the paths they'll ever need. So, in the current >> example, I'd do something such as: >> >> Host_Alias NET_10_8 = 10.0.0.0/255.0.0.0 >> User_Alias ORACLE_ADMIN = %oracle >> Cmnd_Alias ORACLE_ROOT_SH = /opt/oracle/bin/root.sh, \ >> /usr/local/oracle/bin/root.sh >> >> ORACLE_ADMIN NET_10_8 = (oracle) ORACLE_ROOT_SH > > This is better but implies you (the sysadmin) will have to maintain root.sh. > That implies reviewing it and possibly reinstalling for every new version of > Oracle at least. You might need multiple versions. > > Even then it will give you a false sense of security. I can see > a few places in root.sh that could be exploited to give the > person who runs it extra privileges. It uses backticks and unquoted > variables as well as trusting its environment to a scertain degree. > It also invokes non-root owned sub programs. > > You probably have to rewrite it partly to make it secure and yet make it > compatible enough with the vendor version. This is a significant > responsibility for the sysadmin! > > The proper solution to this mess is to have Oracle simplify and improve their > installation procedure. Agreed! > > Currently either sysadmin has to trust their DBA (at least for the duration > of the install) or the sysadmin has to run root.sh for them. Even here the I will monitor the checksum of the file using our monitoring tool which is on a remote box > sysadmin has to eyeball the script and check his environment and the programs > it calls in turn beforehand. > > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From Vijaya.Pidugu at sig.com Tue Feb 17 16:53:05 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Tue, 17 Feb 2009 16:53:05 -0500 Subject: [sudo-users] sudo logging question In-Reply-To: References: <20090128223747.GF929@fubar.loosenut.com> Message-ID: You can rotate your messages more frequently! ________________________________ From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Tuesday, February 17, 2009 4:47 PM To: Russell Van Tassell; Pidugu Vijaya; Singh, Radesh (GTS); sudo-users at sudo.ws Subject: sudo logging question Hi all, Your help regarding sudo helped me a lot.. I have another question. I defenetely want all sudo commands to be logged in /var/log/messages. But can I limit such that one user does NOT have to login to the logs at all... Because that is filling up our disk space & also CPU is dropping because of that user running a command Every second!!! Thanks so much!!! Jamuna ________________________________ The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Jamuna.Manjunatha at ironmountain.com Tue Feb 17 16:46:40 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Tue, 17 Feb 2009 16:46:40 -0500 Subject: [sudo-users] sudo logging question In-Reply-To: <20090128223747.GF929@fubar.loosenut.com> Message-ID: Hi all, Your help regarding sudo helped me a lot.. I have another question. I defenetely want all sudo commands to be logged in /var/log/messages. But can I limit such that one user does NOT have to login to the logs at all... Because that is filling up our disk space & also CPU is dropping because of that user running a command Every second!!! Thanks so much!!! Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From ivar at oobik.com Thu Feb 19 19:06:07 2009 From: ivar at oobik.com (ivar vasara) Date: Thu, 19 Feb 2009 16:06:07 -0800 Subject: [sudo-users] allow one user to run commands as another (ie: sudo -u other_user command) in sudoers Message-ID: <2c7898150902191606v7571cb92i13351370033fa920@mail.gmail.com> Hi all, I've been browsing the sudo-user archives for solutions to my problem and have found a few promising recent threads, but nothing exactly what I'm looking for. The sudoers man page looks promising, but a solution is far from clear for my quandry. I would like to allow the 'www-data' user to run commands as the 'capistrano' user without requiring a password, and without dropping to capistrano's shell (ie: not using 'su'). My attempts have all failed, and so far my best guess is the following clause in /etc/sudoers : www-data ALL=NOPASSWD: /usr/bin/sudo -u capistrano I've also tried specifying commands at the end since ideally I could restrict the commands available, but this is an internal server and just being able to get www-data to run anything as capistrano would be great. Thanks for your time. From akaroumi at yahoo.com Fri Feb 20 06:42:41 2009 From: akaroumi at yahoo.com (Ahmed Karoumi) Date: Fri, 20 Feb 2009 11:42:41 +0000 (GMT) Subject: [sudo-users] How to use Cmnd_Alias in ldap container Message-ID: <720220.83298.qm@web25105.mail.ukl.yahoo.com> Hello, I am using sudo with rules stored in a directory LDAP. How to write a group of command in ldap container like Cmnd_Alias in /etc/sudoers ? Example, currently I have this rules: cn=sudorules,cn=SUDOers,ou=unix,dc=example,dc=com cn=sudorules objectclass=top objectclass=sudoRole sudoCommand=!/bin/sh sudoCommand=!/usr/bin/sh sudoCommand=!/bin/bsh sudoCommand=!/usr/bin/bsh sudoCommand=!/bin/csh sudoCommand=!/usr/bin/csh sudoCommand=!/bin/dsh sudoCommand=!/usr/bin/dsh sudoCommand=!/bin/ksh sudoCommand=!/usr/bin/ksh sudoCommand=!/bin/msh sudoCommand=!/usr/bin/msh sudoCommand=!/bin/psh sudoCommand=!/usr/bin/psh sudoCommand=!/bin/rsh sudoCommand=!/usr/bin/rsh sudoCommand=!/bin/Rsh sudoCommand=!/usr/bin/Rsh sudoCommand=!/bin/tsh sudoCommand=!/usr/bin/tsh sudoCommand=!/usr/local/bin/tcsh sudoCommand=!/usr/local/bin/zsh sudoCommand=!/usr/bin/su *root* sudoCommand=!/usr/bin/su "" sudoCommand=!/usr/bin/su - sudoCommand=ALL sudoHost=ALL sudooption=!authenticate sudoUser=ALL how to codify in ldap container a group of sudoCommand which I can use inside an other rules ? Regards, Ahmed. From holt at sgi.com Sun Feb 22 00:21:55 2009 From: holt at sgi.com (Robin Holt) Date: Sat, 21 Feb 2009 23:21:55 -0600 Subject: [sudo-users] allow one user to run commands as another (ie: sudo -u other_user command) in sudoers In-Reply-To: <2c7898150902191606v7571cb92i13351370033fa920@mail.gmail.com> References: <2c7898150902191606v7571cb92i13351370033fa920@mail.gmail.com> Message-ID: <20090222052155.GC10460@sgi.com> On Thu, Feb 19, 2009 at 04:06:07PM -0800, ivar vasara wrote: > Hi all, > > I've been browsing the sudo-user archives for solutions to my problem and > have found a few promising recent threads, but nothing exactly what I'm > looking for. The sudoers man page looks promising, but a solution is far > from clear for my quandry. > I would like to allow the 'www-data' user to run commands as the > 'capistrano' user without requiring a password, and without dropping to > capistrano's shell (ie: not using 'su'). My attempts have all failed, and so > far my best guess is the following clause in /etc/sudoers : > > www-data ALL=NOPASSWD: /usr/bin/sudo -u capistrano > I am not sure this is what you want, but I just did www-data ALL=(ALL) NOPASSWD: /bin/su - capistrano and it did what I think you are asking for. Thanks, Robin