[sudo-users] Linux/Solaris differences in use of Cmnd_Alias?
John Shott
shott at stanford.edu
Mon Mar 1 12:29:03 EST 2010
Sudo Community:
We have been using sudo for several years on both Solaris and Linux
platforms to control who can start a set of servers and make sure that
they are running as the proper user.
To do that, we have a wrapper script that is used to start some
servers. Let's say that is named /usr/local/sbin/wrapper.
In the wrapper script we start the server with the line to insure that
the servers are owned by server_user and can only be started by specific
named users.
sudo -l server_user /usr/local/sbin/start_server.
Because we are developing these servers, in addition to this production
version, we often have a development version that is started with a
similar wrapper script named /usr/local/sbin/wrapper-dev that actually
starts the server with the sudo command line:
sudo -l server_user /usr/local/sbin/server_start-dev
Here is the relevant section of our /etc/sudoers file:
#User_Alias and Cmnd_Alias definitions:
User_Alias LEGAL_USERS=fred, bill, joe, server_user
Cmnd_Alias SERVER_START = /usr/local/sbin/server_start*
# Server_start privilege specification
LEGAL_USERS this_host = (server_user) NOPASSWD: SERVER_START
On Solaris, if I am a member of the LEGAL_USERS User_Alias, I can
successfully start either /usr/local/sbin/server_start or
/usr/local/sbin/server_start-dev using this approach of having a
trailing asterisk in the SERVER_START Cmnd_Alias.
However, on Linux (specifically RHEL5.4), if I run
/usr/local/sbin/wrapper or /usr/local/sbin/wrapper-dev that should be
calling:
sudo -l server_user /usr/local/sbin/server_start
and
sudo -l server_user /usr/local/sbin/server_start-dev
respectively, I get both a prompt for a password and then the error message:
User server_user is not allowed to run the command
"/usr/local/sbin/server_start" on this_host.
(and the equivalent error message when it tries to run
"/usr/local/sbin/server_start-dev").
While I can solve this by explicitly including both
/usr/local/sbin/server_start and /usr/local/sbin/server_start-dev in the
Cmnd_Alias on RHEL Linux, it seems as if using the wildcard * in the
Cmnd_Alias should work .... and does work on Solaris. In fact, I think
that this wildcard in the Cmnd_Alias actually used to work on RHEL Linux.
Is this a misuse of a wildcard in a Cmnd_Alias? Can anyone explain why
this works on Solaris 10, but not on RHEL Linux 5.4.
Note: on Solaris 10, we are running Sudo 1.7.0 and on RHEL 5.4 we are
running Sudo 1.6.9p17.
Thanks for your consideration,
John
More information about the sudo-users
mailing list