[sudo-users] issues with sudo -i or sudo -s

Aaron Lewis aaron.lewis1989 at gmail.com
Thu Jun 10 10:14:45 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/10/2010 09:03 PM, Sudhakar PS wrote:
> Hi Mark
> 
> Thanks for the guidance.
> 
> I am facing one issue. 
> 
> dbaadmin$ sudo -u oracle10 <some_command>, while  executing this command, I would like  the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u <oraclex> <command>.  Let me know if I have some solution / workaround.
> 

Maybe `evn_keep' will help ?
Looks like some environment variable is not passed to your shell.

e.g
	Defaults:oracle10 env_keep="ORACLE_HOME"	

> Reg
> Sudhakar
> 
> 
> -----Original Message-----
> From: Mark Janssen [mailto:maniac.nl at gmail.com] 
> Sent: Thursday, June 10, 2010 5:55 PM
> To: Sudhakar PS
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] issues with sudo -i or sudo -s
> 
> On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS <Sudhakar.PS at tatatel.co.in> wrote:
>> Sudoers File:
>> oracle10 ALL=(ALL) ALL
>> %dbaadmin       ALL=(DB) ALL
>> %dbaadmin       ALL=(oracle10) ALL
> 
> This gives everyone in group dbaadmin full root access... they sudo to
> oracle10, start a shell, and sudo to root ;P
> Only the ALL=(oracle10) line should be enough...
> dbaadmin$ sudo -u oracle10 <some_command>
> is the command your users should use to run something as oracle10
> 
>> Cmnd_Alias
>> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin
>> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b
>> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk
>> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su -
>> root,/usr/bin/su -, /usr/bin/su - root,/bin/su ""
>> %sysadmin       ALL=!SHELLS
> 
> Negations don't work as you would expect... people can make a symlink
> to a shell and start that, or they can start vi, and use a
> shell-escape.
> They can write their own script, which runs a shell, and start that.
> 
>> %sysadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
> 
> You should make NOEXEC a default, and !NOEXEC the specific commands
> that NEED it.
> 
>> %sysadmin       ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
> Second bit doesn't work as expected either...
> 
>> %dbaadmin       ALL=!SHELLS
> Same...
> 
>> %dbaadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
> Same...
> 


- -- 
Best Regards,
Aaron Lewis - PGP: 0x4A6D32A0
FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0
irc: A4r0n on freenode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwQ81UACgkQvf41sEptMqAnEwCgu3u6kyOESmb0ExAt4y6vnvsm
itAAn03bzxnm5yXBxNYt9v8V0OWyOo7M
=vKN+
-----END PGP SIGNATURE-----



More information about the sudo-users mailing list