[sudo-users] Runas Query.

Mon Mar 19 11:07:21 EDT 2012

Hi Kevin,

sudo -l says -
Matching Defaults entries for tia on this host:
    !authenticate

User tia may run the following commands on this host:
    (tia) /usr/local/setuids/tiadaemon2, (tia)
    /saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl

Yes, agree that trying to sudo as tia when i'm tia doesn't make sense but
we're also getting it with other logins. However surely that highlights an
issue if you can't sudo to run something yourself?

This is the sudo -l from another user and they also get the same message -
devupg.[DBADEV] > sudo -l
Matching Defaults entries for devupg on this host:
    !authenticate, runas_default=tia

User devupg may run the following commands on this host:
    (tia) /saga/app/oracle/forms_gen/fgen_tia, (tia)
    /saga/app/oracle/forms_gen/fgen_tia_build, (tia)
    /saga/app/oracle/class_gen/cgen_tia_build, (tia)
    /saga/app/oracle/jar_gen/jgen_tia_build
    (oracle) /saga/app/oracle/proc_gen/proc.shl, (oracle)
    /saga/bin/remote_forms.sh
    (tia) /usr/local/setuids/tiadaemon2, (tia)
    /saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl

Sorry, user tia is not allowed to execute
'/saga/opt/TIA/dbadev/object/pgm/backgr/shl/F1095.shl' as root on draco.

Thanks

Gary.

             Kevin Shortt                                                  
             <kevinshortt at gmai                                             
             l.com>                                                     To 
             Sent by:                  Gary.Haden at saga.co.uk               
             kevin.shortt at gmai                                          cc 
             l.com                     sudo-users at sudo.ws                  
                                                                   Subject 
                                       Re: [sudo-users] Runas Query.       
             19/03/2012 14:46                                              

What does "sudo -l" say?

And another glaring question:  Why are you using sudo to run a script as
the same user?
Your error states "user tia is not allowed.." and you have the "runas" i.e
(tia) set to tia.

-Kevin

On Mon, Mar 19, 2012 at 7:13 AM, <Gary.Haden at saga.co.uk> wrote:

  Hi,

  We're getting the following message when trying to run a sudo command -

  Sorry, user tia is not allowed to execute
  '/saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl' as root on draco.

  However we want it to run as user tia (not root) and the line in the
  sudoers file reflects this -

  TD2GRP DRACO=(tia) /usr/local/setuids/tiadaemon2,
  /saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl

  These are the other parameters we have in the file -

  Host_Alias DRACO = draco

  User_Alias TIAGRP = devaxs, devupg
  User_Alias ORAGRP = devaxs, devupg
  User_Alias TD2GRP = devaxs, devupg, tia

  Defaults !authenticate
  Defaults:TIAGRP runas_default=tia

  root ALL=(ALL) ALL

  TIAGRP DRACO=
  (tia) /saga/app/oracle/forms_gen/fgen_tia, /saga/app/oracle/forms_gen/fgen_tia_build, /saga/app/oracle/class_gen/cgen_tia_build, /saga/app/oracle/jar_gen/jgen_tia_build

  ORAGRP DRACO=
  (oracle) /saga/app/oracle/proc_gen/proc.shl, /saga/bin/remote_forms.sh
  oracle DRACO=
  (root) /saga/app/oracle/forms_gen/fix_fmx, /saga/app/oracle/forms_gen/fix_file, /saga/app/oracle/class_gen/fix_class, /saga/app/oracle/jar_gen/fix_jar

  TD2GRP DRACO=
  (tia) /usr/local/setuids/tiadaemon2, /saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl

  Any ideas what needs to be added/removed/changed?

  The /usr/local/setuids/tiadaemon2 which is on the same line works and the
  only differences are in the owner and permissions so should I be changing
  these?

  -rwxr--r--    1 tia      dev             764 28 Jun
  2006  /saga/opt/TIA/dev1/object/pgm/backgr/shl/F1095.shl
  -rwxr-xr-x    1 root     system         3764 16 Mar
  08:53 /usr/local/setuids/tiadaemon2

  Thanks

  Gary.

  Please consider the environment before printing this email
  The opinions expressed in this e-mail are those of the individual and not
  necessarily the company. This e-mail and attachment[s] are confidential
  to the sender and are solely for use by the intended recipient.

  Saga Services Limited: Company Registration No. 732602
  Saga Publishing Limited: Company Registration No. 2152564
  The above companies are wholly owned subsidiaries of Saga Group Limited.

  Saga Holidays is a registered trading name of Acromas Holidays Limited:
  Company Registration No. 2174052
  Saga Shipping is a registered trading name of Acromas Shipping Limited:
  Company Registration No. 3267858
  Saga Personal Finance is a registered trading name of Acromas Financial
  Services Limited: Company Registration No. 3023493

  Saga Group Limited: Company Registration No. 638891
  All companies registered at: Enbrook Park, Sandgate, Folkestone, Kent
  CT20 3SE
  Saga Charitable Trust is a UK registered charity No. 291991

  Saga Services Limited is authorised and regulated by the Financial
  Services Authority.
  Acromas Financial Services Limited is authorised and regulated by the
  Financial Services Authority.
  Acromas Holidays Limited is an appointed representative of Automobile
  Association Insurance Services Limited which is authorised and regulated
  by the Financial Services Authority.
  Acromas Insurance Company Limited is authorised by the Financial Services
  Commission, Gibraltar.

  This e-mail and attachment[s] has been scanned for the presence of
  computer viruses. Saga accept no responsibility for computer viruses once
  this e-mail has been transmitted.

  ____________________________________________________________
  sudo-users mailing list <sudo-users at sudo.ws>
  For list information, options, or to unsubscribe, visit:
  http://www.sudo.ws/mailman/listinfo/sudo-users