Linux menu

Saturday, September 20, 2014

Solaris 11 How to Configure SUDO


Sudoers (Super User Do) is third party tool which Unix administrator can provide the access to run certain command which equivalent to root for required user. Upto Solaris 10, we have to install the sudo packages separately and configure. But in Solaris 11 we will get the sudo packages as in built one. In this article, we will understand about the sudo installation and configuration method in detail manner.

          /etc/sudoers is configuration file for sudo. This file MUST be edited with the 'visudo' command as root.  Let we can see the sudo prerequisites, in order to provide the required permission to user.

SpecificationDescriptionsExamples
User_AliasGroups of users which is seprated by commaUser_Alias ORAADM = raj, dileep, linges
Cmnd_AliasGroups of commands which is seprated by commaCmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice
User_PrivilegeAllow User_Alias to execute Cmnd_AliasORAADM ALL = PROCESSES (or) ORAADM ALL = NOPASSWD: PROCESSES

You can download your sudo packages in given below link with respective your OS versions.
http://www.sudo.ws/sudo/download.html

Once your download is completed, please do the following steps to install the sudoers.
bash-3.00# uname -a
SunOS unixrock 5.10 Generic_142910-17 i86pc i386 i86pc
bash-3.00# pkgadd -d /var/tmp/TCMsudo-1.8.7-i386.pkg.gz

The following packages are available:
  1  TCMsudo     sudo 1.8.7
                 (i386) 1.8.7

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Processing package instance  from 
## Installing package  in global zone

sudo 1.8.7(i386) 1.8.7
(c) 1993-1996,1998-2013 Todd C. Miller
## Booting non-running zone  into administrative state
## Processing package information.
## Processing system information.
   51 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

The following files are being installed with setuid and/or setgid
permissions:
  /usr/local/bin/sudo 

Do you want to install these as setuid/setgid files [y,n,?,q] y
This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of  [y,n,?] y

Installing sudo 1.8.7 as 

## Installing part 1 of 1.
[ verifying class  ]
## Executing postinstall script.
/etc/sudoers.dist
/usr/local/bin/sudo
/usr/local/bin/sudoedit 
/usr/local/bin/sudoreplay
/usr/local/include/sudo_plugin.h
/usr/local/libexec/sudo/group_file.so
/usr/local/libexec/sudo/sudo_noexec.so
/usr/local/libexec/sudo/sudoers.so
/usr/local/libexec/sudo/system_group.so
/usr/local/man/man1m/sudo.1m
/usr/local/man/man1m/sudo_plugin.1m
/usr/local/man/man1m/sudoedit.1m 
/usr/local/man/man1m/sudoreplay.1m
/usr/local/man/man1m/visudo.1m
/usr/local/man/man4/sudo.conf.4
/usr/local/man/man4/sudoers.4
/usr/local/sbin/visudo
Installation of  was successful.
bash-3.00#
After the installation we will get the sudoers file in the following locations
bash-3.00# ls -ltr /etc/sudoers
-r--r-----   1 root     root        2919 Jul 12 22:53 /etc/sudoers
bash-3.00#
NOTE : Most of the time you can find the sudoers file on "/usr/local/etc"

Now we are ready to configure the sudoers with "visudo" command. In below example we are going to work on below prerequisites. Users are linges, dillep, suneel, oraadm. Listed Users are requesting to execute the useradd, userdel, usermod commands. suneel should only execute userdel command.
## User alias specification
User_Alias    ADMIN_USER = linges, dillep, oraadm

## Cmnd alias specification
Cmnd_Alias  ADMIN_CMD = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod

## User privilege specification
ADMIN_USER  ALL=NOPASSWD: ADMIN_CMD 
suneel      ALL=NOPASSWD: /usr/sbin/userdel
From below command we can check the respective users sudo persmissions.
bash-3.00# /usr/local/bin/sudo -l -U oraadm
User oraadm may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
bash-3.00#
bash-3.00# /usr/local/bin/sudo -l -U suneel
User suneel may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/userdel
bash-3.00#
Let we can try to execute the user Privilege command
bash-3.00# su - oraadm
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
$ id
uid=103(oraadm) gid=1(other)
$ useradd
useradd: not found
$ /usr/sbin/useradd raj
UX: /usr/sbin/useradd: ERROR: Permission denied.
$
As a normal user couldn't able to run the useradd command here. let we can use with sudo
$ id -a
uid=103(oraadm) gid=1(other) groups=1(other)
$
$ /usr/local/bin/sudo -l
User oraadm may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
$
$ /usr/local/bin/sudo /usr/sbin/useradd raj
$
$ tail -2 /etc/passwd
oraadm:x:103:1::/export/home/oraadm:/bin/sh
raj:x:104:1::/home/raj:/bin/sh
$
Yes, now we can able to execute the admin(root) command with sudo without any trouble.

No comments: