[sudo-users] sudoers anomaly
Seul, Jeffrey
JeffreySeul at officemax.com
Wed Jul 16 09:55:12 EDT 2008
Just to be fair, here is the entire entry for group %dba on my sudoers
file , dummied up a bit to protect real user ids-
Runas_Alias ORACLE_USERS=oraa2, oraad, oraaq, oraax, oraep2, orabd,
orab, orab1, orabd, oracd, oract, orad, oract2, oradd, oraeqx, orafx,
oragx, orag
Cmnd_Alias SU_ORA=/usr/bin/su oracle, /usr/bin/su - oracle
Cmnd_Alias SU_ORA1=/usr/bin/su oracle1, /usr/bin/su - oracle1
Cmnd_Alias SU_ORA2=/usr/bin/su oracle2, /usr/bin/su - oracle2
Cmnd_Alias SU_ORA3=/usr/bin/su oracle3, /usr/bin/su - oracle3
# Oracle Administrators
%dba ALL=(ORACLE_USERS) NOPASSWD: !SHELLS, !BAD_CMDS, ALL
%dba ALL=(someuser1) NOPASSWD: /path/to/prog/*
%dba ALL=(someuser2) NOPASSWD: /path/to/prog/*
%dba ALL=(someuser3) NOPASSWD: /path/to/prog/*
%dba ALL=(oracle) NOPASSWD: !SHELLS, !BAD_CMDS, ALL,
/usr/local/bin/rename-file.ksh
%dba ALL=(root) NOPASSWD: !SHELLS, !BAD_CMDS, /*/orainstRoot.sh,
/*/*/orainstRoot.sh, /*/*/*/orainstRoot.sh, /*/*/*/*/orainstRoot.sh,
/*/*/*/*/*/orainstRoot.sh, /*/*/*/*/*/*/orainstRoot.sh,
/*/*/*/*/*/*/*/orainstRoot.sh, /*/*/*/*/*/*/*/*/orainstRoot.sh,
/*/root.sh, /*/*/root.sh, /*/*/*/root.sh, /*/*/*/*/root.sh,
/*/*/*/*/*/root.sh, /*/*/*/*/*/*/root.sh, /*/*/*/*/*/*/*/root.sh,
/*/*/*/*/*/*/*/*/root.sh, /opt/OV/*, /opt/VRTSvcs/bin/hamtce,
/oracle/*/app/1020/bin/localconfig, /oracle/prod/102/bin/vipca,
/usr/local/bin/rename-dbfile.ksh
%dba ALL=(root) NOPASSWD: SU_ORA1, SU_ORA2, SU_ORA3, SU_ORA4, SU_ORA
Again, my situation is that even though someone in group dba has the
ability to run , with no passwd
sudo -u oraa2 ls
the command execution of sudo prompts the user for password, and then
allows the action
What am I doing wrong here?
Jeff
More information about the sudo-users
mailing list