[sudo-users] Owner sudo process
Rémi CELLIER
cellier at gmail.com
Tue Sep 3 03:28:27 MDT 2013
Hello,
We are currently conducting an upgrade of one of our business tools.The
old version use linux red hat ES 4.9 with sudo 1.6.7p5. The new version use
linux red hat ES 6.4 with sudo 1.8.6p3.
On the old version, if you do a "ps" sudo process it belongs to the target
user:
[user @ oldserv ~] $ sudo -u usertest sqlplus /
[root @ oldserv ~] # ps-ef | grep sqlplus
usertest 30871 30811 0 10:47 pts / 4 0:00:00 sesh /
u01/app/oracle/product/10.1.0/Db_1/bin/sqlplus /
usertest 30873 30871 0 10:47 pts / 4 0:00:00 /
u01/app/oracle/product/10.1.0/Db_1/bin/sqlplus
On the new version, there is a process that belongs to sudo root.
[root @ newserv ~] # ps-ef | grep sqlplus
root 46560 46421 0 10:45 pts / 0 0:00:00 sudo-u usertest sqlplus /
usertest 46562 46560 0 10:45 pts / 0 0:00:00 sqlplus
Is it possible to continue to have the behavior of the old version? We have
many impacts of this change.
I try differents solutions like togle '-P' on sudo command and
"stay_setuid" in /etc/sudo.conf. Do you have any clue to solve my problem ?
You can found below the sudo configuration :
[root at newserv ~]# sudo -V
Sudo version 1.8.6p3
Configure options: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p3
--with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login
--with-editor=/bin/vi --with-env-editor --with-ignore-dot
--with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
--with-selinux --with-passprompt=[sudo] password for %p:
--with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
PATH
ORACLE_SID
ORACLE_BASE
ORACLE_HOME
XAUTHORITY
_XKB_CHARSET
LINGUAS
LANGUAGE
LC_ALL
LC_TIME
LC_TELEPHONE
LC_PAPER
LC_NUMERIC
LC_NAME
LC_MONETARY
LC_MESSAGES
LC_MEASUREMENT
LC_IDENTIFICATION
LC_COLLATE
LC_CTYPE
LC_ADDRESS
LANG
USERNAME
QTDIR
PS2
PS1
MAIL
LS_COLORS
KDEDIR
INPUTRC
HISTSIZE
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Local IP address and netmask pairs:
x.x.x.x/255.255.255.0
xxxx/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.6p3
Best Regards
More information about the sudo-users
mailing list