[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Runnign a command as a differen user using sudo

Posted on 2006-04-12
Medium Priority
Last Modified: 2008-03-04
Hello , I am using sudo to grant a user to execute another userr's  script as that  user. This is my sudeors file:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# Host alias specification
#Host_Alias     SUN = sunapp15

# User alias specification
User_Alias     BEA_USERS = qa

# Cmnd alias specification
Cmnd_Alias      CMMENU = \
                        /wrkbrain/bea/staging/menu/, \
                        /wrkbrain/bea/staging/cmmenu/, \
                        /wrkbrain/bea/staging/bin/, \

Cmnd_Alias      SU = /usr/bin/su

Defaults                logfile=/var/adm/sudo.log
#Defaults:qa             logfile=/usr/local/log/sudo.bea, runas_default=bea

# Runas alias specification
Runas_Alias    BEA = bea

# User privilege specification
#root   ALL=(ALL) ALL

#qaadmin        ALL = (BEA)     NOPASSWD: CMMENU

Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file ownership is root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?



P.S. this is running on a solaris V.9
Question by:agi_david
  • 3
  • 2

Author Comment

ID: 16439609
Sorry about the grammer. The last portion suppose to be the follow.
Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file that is creates  is owned by  root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?



LVL 34

Expert Comment

ID: 16440473
What VERSION of sudo?

The target program does NOT have to be owned by the Runas_Alias user (or group). But it must be EXECUTABLE by that user or group. If its owned by root:root and the mode include world-executable, that's fine.

Author Comment

ID: 16440950
the version is Sudo version 1.6.7p5.  Basicly I am user qa running a bea script. This script creates a log file. Now the ownership of this new file is
-rw-r--r--   1 root     root           0 Apr 12 14:34 AGI44.  If i run this script as BEA user, shouldn't the AGI44 file  be created with the BEA  ownership??


Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 34

Expert Comment

ID: 16448766
I note in passing that sudo v1.6.7p5 is rather old. There are a number of known security issues with it (including one that I think will invalidate your attempt to prevent the BEA user from using su with the "!SU" entry in sudoers). Latest is v1.6.8p11, I believe.

Yes, I would think that if you'd switched your user context to the BEA user, that file (AGI44) ownership would default to the BEA user ID. Are you sure the directory in which the file is being created is not flagged STICKY?

Also, what are the ownerships of the "cmmenu" executables, and are any of them SUID or SGID?

Author Comment

ID: 16508055

     I figured out the issue, I believe regardless of the user your are trying to runned the command, it will still create a file ( depends if the command is programmed to do so.) as UID and GID of root.

Thanks for all your help.


Accepted Solution

GranMod earned 0 total points
ID: 16706309
PAQed with points refunded (125)

Community Support Moderator

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question