Runnign a command as a differen user using sudo

Posted on 2006-04-12
Last Modified: 2008-03-04
Hello , I am using sudo to grant a user to execute another userr's  script as that  user. This is my sudeors file:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# Host alias specification
#Host_Alias     SUN = sunapp15

# User alias specification
User_Alias     BEA_USERS = qa

# Cmnd alias specification
Cmnd_Alias      CMMENU = \
                        /wrkbrain/bea/staging/menu/, \
                        /wrkbrain/bea/staging/cmmenu/, \
                        /wrkbrain/bea/staging/bin/, \

Cmnd_Alias      SU = /usr/bin/su

Defaults                logfile=/var/adm/sudo.log
#Defaults:qa             logfile=/usr/local/log/sudo.bea, runas_default=bea

# Runas alias specification
Runas_Alias    BEA = bea

# User privilege specification
#root   ALL=(ALL) ALL

#qaadmin        ALL = (BEA)     NOPASSWD: CMMENU

Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file ownership is root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?



P.S. this is running on a solaris V.9
Question by:agi_david

    Author Comment

    Sorry about the grammer. The last portion suppose to be the follow.
    Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file that is creates  is owned by  root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?



    LVL 34

    Expert Comment

    What VERSION of sudo?

    The target program does NOT have to be owned by the Runas_Alias user (or group). But it must be EXECUTABLE by that user or group. If its owned by root:root and the mode include world-executable, that's fine.

    Author Comment

    the version is Sudo version 1.6.7p5.  Basicly I am user qa running a bea script. This script creates a log file. Now the ownership of this new file is
    -rw-r--r--   1 root     root           0 Apr 12 14:34 AGI44.  If i run this script as BEA user, shouldn't the AGI44 file  be created with the BEA  ownership??


    LVL 34

    Expert Comment

    I note in passing that sudo v1.6.7p5 is rather old. There are a number of known security issues with it (including one that I think will invalidate your attempt to prevent the BEA user from using su with the "!SU" entry in sudoers). Latest is v1.6.8p11, I believe.

    Yes, I would think that if you'd switched your user context to the BEA user, that file (AGI44) ownership would default to the BEA user ID. Are you sure the directory in which the file is being created is not flagged STICKY?

    Also, what are the ownerships of the "cmmenu" executables, and are any of them SUID or SGID?

    Author Comment


         I figured out the issue, I believe regardless of the user your are trying to runned the command, it will still create a file ( depends if the command is programmed to do so.) as UID and GID of root.

    Thanks for all your help.


    Accepted Solution

    PAQed with points refunded (125)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now