Runnign a command as a differen user using sudo

Hello , I am using sudo to grant a user to execute another userr's  script as that  user. This is my sudeors file:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification
#Host_Alias     SUN = sunapp15

# User alias specification
User_Alias     BEA_USERS = qa

# Cmnd alias specification
Cmnd_Alias      CMMENU = \
                        /wrkbrain/bea/staging/menu/, \
                        /wrkbrain/bea/staging/cmmenu/, \
                        /wrkbrain/bea/staging/bin/, \
                        /wrkbrain/bea/staging/

Cmnd_Alias      SU = /usr/bin/su


#
Defaults                logfile=/var/adm/sudo.log
#Defaults:qa             logfile=/usr/local/log/sudo.bea, runas_default=bea

# Runas alias specification
Runas_Alias    BEA = bea

# User privilege specification
#root   ALL=(ALL) ALL

#qaadmin        ALL = (BEA)     NOPASSWD: CMMENU
BEA_USERS     ALL = (BEA)             NOPASSWD: CMMENU, !SU

Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file ownership is root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?

Thanks,

Agi.

P.S. this is running on a solaris V.9
agi_davidAsked:
Who is Participating?
 
GranModCommented:
PAQed with points refunded (125)

GranMod
Community Support Moderator
0
 
agi_davidAuthor Commented:
Sorry about the grammer. The last portion suppose to be the follow.
Two thing: first the NOPASSWD option doesn't work properly, Second when running a specific script, the log file that is creates  is owned by  root root. Doesn't it have to be owned by the Runas_Alias user? If not, is there a way to do that?

Thanks,

Agi


0
 
PsiCopCommented:
What VERSION of sudo?

The target program does NOT have to be owned by the Runas_Alias user (or group). But it must be EXECUTABLE by that user or group. If its owned by root:root and the mode include world-executable, that's fine.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
agi_davidAuthor Commented:
the version is Sudo version 1.6.7p5.  Basicly I am user qa running a bea script. This script creates a log file. Now the ownership of this new file is
-rw-r--r--   1 root     root           0 Apr 12 14:34 AGI44.  If i run this script as BEA user, shouldn't the AGI44 file  be created with the BEA  ownership??

Thanks,

Agi
0
 
PsiCopCommented:
I note in passing that sudo v1.6.7p5 is rather old. There are a number of known security issues with it (including one that I think will invalidate your attempt to prevent the BEA user from using su with the "!SU" entry in sudoers). Latest is v1.6.8p11, I believe.

Yes, I would think that if you'd switched your user context to the BEA user, that file (AGI44) ownership would default to the BEA user ID. Are you sure the directory in which the file is being created is not flagged STICKY?

Also, what are the ownerships of the "cmmenu" executables, and are any of them SUID or SGID?
0
 
agi_davidAuthor Commented:
Hello,

     I figured out the issue, I believe regardless of the user your are trying to runned the command, it will still create a file ( depends if the command is programmed to do so.) as UID and GID of root.


Thanks for all your help.

Agi
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.