[sudo-users] issues with sudo -i or sudo -s

Sudhakar PS Sudhakar.PS at tatatel.co.in
Fri Jun 11 06:35:20 EDT 2010


My profile issues is address while execute the command "sudo -i -u
oracle10 < any command>.

If I don't pass on any command as an argument, it is leaving me to the
shell of oracle10. I need to block user not accessing the shell of
oracle10 directly. User should access everything through his individual
login only.

If I block the shells with !SHELLS, then -i is not working.

Can anybody help is in this regard.


-----Original Message-----
From: Sudhakar PS 
Sent: Friday, June 11, 2010 3:19 PM
To: 'Aaron Lewis'
Cc: Mark Janssen; sudo-users at sudo.ws
Subject: RE: [sudo-users] issues with sudo -i or sudo -s


Tried with env_keep as well but unable to load the user profile. can
anybody help me in this regard.


-----Original Message-----
From: Aaron Lewis [mailto:aaron.lewis1989 at gmail.com] 
Sent: Thursday, June 10, 2010 7:45 PM
To: Sudhakar PS
Cc: Mark Janssen; sudo-users at sudo.ws
Subject: Re: [sudo-users] issues with sudo -i or sudo -s

Hash: SHA1

On 06/10/2010 09:03 PM, Sudhakar PS wrote:
> Hi Mark
> Thanks for the guidance.
> I am facing one issue. 
> dbaadmin$ sudo -u oracle10 <some_command>, while  executing this
command, I would like  the profile of oracle10 to be executed along with
the command. It tells me command not found etc. I need to manually
execute the profile file. I have multiple oracle versions installed on a
single server, require the account profile to be executed along with the
sudo -u <oraclex> <command>.  Let me know if I have some solution /

Maybe `evn_keep' will help ?
Looks like some environment variable is not passed to your shell.

	Defaults:oracle10 env_keep="ORACLE_HOME"	

> Reg
> Sudhakar
> -----Original Message-----
> From: Mark Janssen [mailto:maniac.nl at gmail.com] 
> Sent: Thursday, June 10, 2010 5:55 PM
> To: Sudhakar PS
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] issues with sudo -i or sudo -s
> On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS
<Sudhakar.PS at tatatel.co.in> wrote:
>> Sudoers File:
>> oracle10 ALL=(ALL) ALL
>> %dbaadmin       ALL=(DB) ALL
>> %dbaadmin       ALL=(oracle10) ALL
> This gives everyone in group dbaadmin full root access... they sudo to
> oracle10, start a shell, and sudo to root ;P
> Only the ALL=(oracle10) line should be enough...
> dbaadmin$ sudo -u oracle10 <some_command>
> is the command your users should use to run something as oracle10
>> Cmnd_Alias
>> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su -
>> root,/usr/bin/su -, /usr/bin/su - root,/bin/su ""
>> %sysadmin       ALL=!SHELLS
> Negations don't work as you would expect... people can make a symlink
> to a shell and start that, or they can start vi, and use a
> shell-escape.
> They can write their own script, which runs a shell, and start that.
>> %sysadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
> You should make NOEXEC a default, and !NOEXEC the specific commands
> that NEED it.
>> %sysadmin       ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
> Second bit doesn't work as expected either...
>> %dbaadmin       ALL=!SHELLS
> Same...
>> %dbaadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
> Same...

- -- 
Best Regards,
Aaron Lewis - PGP: 0x4A6D32A0
FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0
irc: A4r0n on freenode
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

i-choose online store at www.tataindicom.com
Your Comfort.Your Convenience.YourChoice.

The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.

More information about the sudo-users mailing list