/etc/sudoers is configuration file for sudo. This file MUST be edited with the 'visudo' command as root. Let we can see the sudo prerequisites, in order to provide the required permission to user.
| Specification | Descriptions | Examples |
|---|---|---|
| User_Alias | Groups of users which is seprated by comma | User_Alias ORAADM = raj, dileep, linges |
| Cmnd_Alias | Groups of commands which is seprated by comma | Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice |
| User_Privilege | Allow User_Alias to execute Cmnd_Alias | ORAADM ALL = PROCESSES (or) ORAADM ALL = NOPASSWD: PROCESSES |
You can download your sudo packages in given below link with respective your OS versions.
Once your download is completed, please do the following steps to install the sudoers.
bash-3.00# uname -a
SunOS unixrock 5.10 Generic_142910-17 i86pc i386 i86pc
bash-3.00# pkgadd -d /var/tmp/TCMsudo-1.8.7-i386.pkg.gz
The following packages are available:
1 TCMsudo sudo 1.8.7
(i386) 1.8.7
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Processing package instance from
## Installing package in global zone
sudo 1.8.7(i386) 1.8.7
(c) 1993-1996,1998-2013 Todd C. Miller
## Booting non-running zone into administrative state
## Processing package information.
## Processing system information.
51 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
The following files are being installed with setuid and/or setgid
permissions:
/usr/local/bin/sudo
Do you want to install these as setuid/setgid files [y,n,?,q] y
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of [y,n,?] y
Installing sudo 1.8.7 as
## Installing part 1 of 1.
[ verifying class ]
## Executing postinstall script.
/etc/sudoers.dist
/usr/local/bin/sudo
/usr/local/bin/sudoedit
/usr/local/bin/sudoreplay
/usr/local/include/sudo_plugin.h
/usr/local/libexec/sudo/group_file.so
/usr/local/libexec/sudo/sudo_noexec.so
/usr/local/libexec/sudo/sudoers.so
/usr/local/libexec/sudo/system_group.so
/usr/local/man/man1m/sudo.1m
/usr/local/man/man1m/sudo_plugin.1m
/usr/local/man/man1m/sudoedit.1m
/usr/local/man/man1m/sudoreplay.1m
/usr/local/man/man1m/visudo.1m
/usr/local/man/man4/sudo.conf.4
/usr/local/man/man4/sudoers.4
/usr/local/sbin/visudo
Installation of was successful.
bash-3.00#
After the installation we will get the sudoers file in the following locationsbash-3.00# ls -ltr /etc/sudoers -r--r----- 1 root root 2919 Jul 12 22:53 /etc/sudoers bash-3.00#NOTE : Most of the time you can find the sudoers file on "/usr/local/etc"
Now we are ready to configure the sudoers with "visudo" command. In below example we are going to work on below prerequisites. Users are linges, dillep, suneel, oraadm. Listed Users are requesting to execute the useradd, userdel, usermod commands. suneel should only execute userdel command.
## User alias specification User_Alias ADMIN_USER = linges, dillep, oraadm ## Cmnd alias specification Cmnd_Alias ADMIN_CMD = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod ## User privilege specification ADMIN_USER ALL=NOPASSWD: ADMIN_CMD suneel ALL=NOPASSWD: /usr/sbin/userdelFrom below command we can check the respective users sudo persmissions.
bash-3.00# /usr/local/bin/sudo -l -U oraadm
User oraadm may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
bash-3.00#
bash-3.00# /usr/local/bin/sudo -l -U suneel
User suneel may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/userdel
bash-3.00#
Let we can try to execute the user Privilege commandbash-3.00# su - oraadm Oracle Corporation SunOS 5.10 Generic Patch January 2005 $ id uid=103(oraadm) gid=1(other) $ useradd useradd: not found $ /usr/sbin/useradd raj UX: /usr/sbin/useradd: ERROR: Permission denied. $As a normal user couldn't able to run the useradd command here. let we can use with sudo
$ id -a
uid=103(oraadm) gid=1(other) groups=1(other)
$
$ /usr/local/bin/sudo -l
User oraadm may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
$
$ /usr/local/bin/sudo /usr/sbin/useradd raj
$
$ tail -2 /etc/passwd
oraadm:x:103:1::/export/home/oraadm:/bin/sh
raj:x:104:1::/home/raj:/bin/sh
$
No comments:
Post a Comment