[sudo-users] issues with sudo -i or sudo -s
Sudhakar PS
Sudhakar.PS at tatatel.co.in
Thu Jun 10 09:03:33 EDT 2010
Hi Mark
Thanks for the guidance.
I am facing one issue.
dbaadmin$ sudo -u oracle10 <some_command>, while executing this command, I would like the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u <oraclex> <command>. Let me know if I have some solution / workaround.
Reg
Sudhakar
-----Original Message-----
From: Mark Janssen [mailto:maniac.nl at gmail.com]
Sent: Thursday, June 10, 2010 5:55 PM
To: Sudhakar PS
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] issues with sudo -i or sudo -s
On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS <Sudhakar.PS at tatatel.co.in> wrote:
> Sudoers File:
> oracle10 ALL=(ALL) ALL
> %dbaadmin ALL=(DB) ALL
> %dbaadmin ALL=(oracle10) ALL
This gives everyone in group dbaadmin full root access... they sudo to
oracle10, start a shell, and sudo to root ;P
Only the ALL=(oracle10) line should be enough...
dbaadmin$ sudo -u oracle10 <some_command>
is the command your users should use to run something as oracle10
> Cmnd_Alias
> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin
> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b
> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk
> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su -
> root,/usr/bin/su -, /usr/bin/su - root,/bin/su ""
> %sysadmin ALL=!SHELLS
Negations don't work as you would expect... people can make a symlink
to a shell and start that, or they can start vi, and use a
shell-escape.
They can write their own script, which runs a shell, and start that.
> %sysadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
You should make NOEXEC a default, and !NOEXEC the specific commands
that NEED it.
> %sysadmin ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
Second bit doesn't work as expected either...
> %dbaadmin ALL=!SHELLS
Same...
> %dbaadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
Same...
--
Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : |
Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- |
======================================
i-choose online store at www.tataindicom.com
Your Comfort.Your Convenience.YourChoice.
======================================
DISCLAIMER:
The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.
More information about the sudo-users
mailing list