[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Need help with setting up user sudo permissions

Posted on 2010-11-16
6
Medium Priority
?
676 Views
Last Modified: 2013-12-16
I have two Centos boxes, a dev and a qa, that need to have the same access for a group of users. Both boxes are on a NIS and both boxes have the same sudoers file to allow users to run sudosh as a different "application user". One box is working for one userid but is not on the other box. They get this error:
 [devboxwps029]/ap/d/bwpsj
>sudo -u didxml sudosh
[sudo] password for josha29:
Sorry, user  josha29 is not allowed to execute '/usr/bin/sudosh' as didxml on devboxwps029.
[devboxwps029]/ap/d/bwpsj

Open in new window


Here is the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

# User_Alias      ROOT=tjy3f09,sundeep017,eital06, josha29
User_Alias      JR=tjy3f09
User_Alias      DEV=xxx444,xxx412, feind77, wangxl07, tyle29, ijackAX,nancy003, edison407,  josha29

Runas_Alias     AP_ACCOUNTS=didvr, didxml, didtool, didbg

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

JR      ALL=SUDOSH,(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(didtool)SUDOSH
DEV     ALL=(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(AP_ACCOUNTS)SUDOSH,(didtool)SUDOSH

Open in new window


The other QA box has as sudoers file that looks the same except the application names have a q in front on them instead of a d: qidxml instead of didxml On this box they have no problems running as qidxml.

Any ideas on what could be keeping this person from executing as as didxml?
0
Comment
Question by:Thaidog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:ckiral
ID: 34149919
You allowed only /usr/local/bin/sudosh, but apparently is in /usr/bin on that server...

 Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Open in new window

0
 
LVL 80

Expert Comment

by:arnold
ID: 34149988
Check the nsswitch.conf in particular the group entry and make sure that both have file nis.

also check each system /etc/group file to make sure that they are identical.

you need to also make sure that there are local user for the nis user that is having issues since the local will take precedence over nis.
i.e. you have user1 in both nis and local to one of the boxes using the same password.
when user1 logs into this system passwd: file nis will mean the local user1 is how sudo will treat a sudo request.  since local user1 is not a member of the NIS defined group, sudo access will be denied.
0
 
LVL 2

Accepted Solution

by:
ckiral earned 2000 total points
ID: 34150092
Changing 27h  line on servers sudoers file accordingly will solve the problem
Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh, /usr/bin/sudosh

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:Thaidog
ID: 34169882
ckiral's answers appear to have worked... I will find out from the users soon and award points asap if so.
0
 
LVL 1

Author Comment

by:Thaidog
ID: 34174534
Well the user can use the command but the commad on the box that does not have the modified sudosh path is working differently than the one that has the /usr/bin/path.

When a the user uses sudo -u dhdxml sudosh on the old box the command drops them in to the didxml folder:

/ap/d/idxml

But is does not do that on the system we changed the path on... it just puts them in /ap/d/bwpsj which is the users home folder. /ap/d/didxml is the didxml home folder.

0
 
LVL 2

Expert Comment

by:ckiral
ID: 34179444
I think we should se contents of sudosh file to make a comment.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question